hello, Advisory for ADA Image Server (ImgSvr) 0.4. ADA Image Server (ImgSvr) 0.4 Multiple vulnerabilities Release Date: April 3, 2004 Severity: High (Remote Code Execution) Vendor: sourceforge.net/projects/adaimgsvr/ Services Affected: http service (1234) Description of the product: ADA Image Server is an emmbeded web server that is specialized in photo album publishing. This Image server provide an http access to image content. It generate dynamic pages from a standard directory based hierarchy, manage thumbnails, metadatas. Vulnerabilities: 1)Buffer overflow in Get / request 2)Directory Traversal vulnerabilities 3)List directories outside WWW root 4)Dos attack Technical Description: Some days ago I discovered some critical vulnerabilities in ADA Image Server (ImgSvr) 0.4 that may allow an unauthorized user to execute arbitary code and read sensitive files on the system. 1. Buffer overflow in Get / request There is a buffer overflow in ADA image server when you send a GET request following by 2.112 characters. A cracker may exploit this vulnerability to make your web server crash continually or even execute arbirtray code on your system. Get /[2.112 chars] http/1.0 2.Directory Traversal vulnerabilities The problem happens when the attacker uses the pattern "%2f%2e%2e%2f" that deceives the checks and allows him to see and download any file in the remote system knowing the path. http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini 3.There is a third problem that allows a remote user to list any directory outside WWW home. eg. http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/ 4.Some days ago another bug had been published that allowed a remote user to view the content of www directory by supplying a "%00". Using this bug we can crash the server remotely by typing this: http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe /imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe /imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/ Workaround: Use another product. Pr00f of concept code: sorry, nothing at the moment but some pr00f of concept exploit may emerge soon. Credit: Dr_insane Http://members.lycos.co.uk/r34ct/ Feedback Please send your comments to: dr_insane@pathfinder.gr ______________________________________________________________________________________ http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! http://www.pathfinder.gr - Δωρεάν mail από τον Pathfinder!