####################################################################### Luigi Auriemma Application: Savant webserver (http://savant.sourceforge.net) Version: 3.1 and possibly previous versions Bug: Buffer overflow in cgitest, crash with negative Content-Length and bad chars usage between medium and high) Date: 13 Sep 2002 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Savant webserver is an OpenSource webserver that runs on Win32. It's a very interesting server but has some security issues a lot being old unpatched bugs. One of these, for example, is a directory traversal bug that has been founded on 2.1 version but seems to still exist on this 3.1 (over a year ago!). Unfortunately I have contacted the vendor two times from August the 23rd but I have not yet received a response. ####################################################################### ====== 2) Bug ====== A] Cgitest.exe overflow ----------------------- The cgitest.exe program that is inserted by default in the cgi-bin directory is vulnerable to a buffer-overflow. The limit of acceptable characters is 128 so we need to send only 136 bytes for overwrite EBP and EIP registers and crash the server. I don't think is possible to write a good shellcode in this case because the bytes that go into the stack are few, however an interesting and simple thing is to point the EIP register to KERNEL32.DLL->ReadFile, because the server will crash totally and the administrator will get a nice blue screen (tested on Win9x). During the blue screen the port 80 will stay opened but the server will not answers to client requests. B] Content-Length crash ----------------------- A nice DoS is the negative Content-Length value. The value that Savant waits from the user is an integer and when the attacker sends a negative number the server will crash. However until the Windows error message is not acknowledged the server will continue to run without problems. C] Authorization bypassing -------------------------- Uhmm the usual Win32 API problem is again our best friend and this time it gives us access to all of the user folders in Savant server. So adding the chars ' ' (%20) and '.' (%2e) at the end of the filename requested we will gain full access to the password protected folders. The other good news is that the limit of the network class is authorized to access to the folder can be bypassed without problems with this method (so if the admin has a set class D only access, the attacker with any IP have full access without respecting this limit). Note: if we want to use the space (' ') char, we must add also the '/' char after it. ####################################################################### =========== 3) The Code =========== A] Cgitest.exe overflow ----------------------- Check my web page for a tiny example that causes a blue screen and server crash (so crash all the server and not only the single connection). I have simply written the EIP 00409430 (that point to KERNEL32.DLL->ReadFile but you can use KERNEL32.DLL->WriteFile too) for having a bad DoS that crashes the server and give blue screen. Usage: nc 80 -v -v -n < savant-cgitest.txt http://aluigi.org/poc/savant-cgitest.txt B] Content-Length crash ----------------------- GET / HTTP/1.0 Content-Length: -1 C] Authorization bypassing -------------------------- http://host/password_folder. "GET /password_folder / HTTP/1.0" <-- use with telnet http://host/password_folder%2e http://host/password_folder%20 ####################################################################### ====== 4) Fix ====== No fix available. Check the Savant website for updates: http://savant.sourceforge.net #######################################################################