Multiple vulnerabilities in Pico Server (pServ) v3.3

2005-06-12T00:00:00
ID SECURITYVULNS:DOC:8839
Type securityvulns
Reporter Securityvulns
Modified 2005-06-12T00:00:00

Description

             Multiple vulnerabilities in Pico Server (pServ) v3.3

                             discovered by Raphaël Rigo

Product: Pico Server (pServ) Affected Version: 3.3 (verified), <=3.3 probably too Not affected Version: 3.4 OS affected: all Risk: critical Remote Exploit: yes URL: http://pserv.sourceforge.net/

Overview

Pico Server is a small web server. It is meant to be portable and configurable. * small, portable * fast * CGI-BIN support * auto-indexing of directories * access and error logging (see p-reporter for an analyser) * forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behaviour, the performance and the feature set so to be able to fit better the the requisites.

Vulnerabilities

     1&#41; Directory traversal

     A bug in the directory parsing code allows the attacker to access any
     directory the server has the right to access.

     Details :
     pServ computes the depth of the directory the user tries to access in the
     variable named depthCount. This counts is decreased when a /../ is
     encountered, unfortunately, it is also increased when /./ is
     encountered, allowing the attacker to use a /./ for each /../ to make
     sure depthCount is not negative.

     Risk : HIGH
     The attacker may gain important information about the system that could
     lead to other attacks.

     Proof of concept :
     access : http://www.example.com/./../

     Workaround :
     There is no workaround for this vulnerability.

     Solution :
     Update to v3.4

     -----------------------------------------------------------------------

     2&#41; Remote command execution

     The directory traversal vulnerability described above also enables
     remote command execution. This may help an attacker to compromise the
     server.

     Details :
     pServ considers every request beginning with /cgi-bin/ as a script
     execution.

     Risk : CRITICAL
     The attacker may use this vulnerability to destroy data or for other
     attacks &#40;i.e. use wget to download root exploits&#41;.

     Proof of concept :
     access : http://www.example.com/cgi-bin/./.././../usr/bin/ls

     Workaround :
     Disable cgi-bin support at compile time.

     Solution :
     Update to v3.4

     -----------------------------------------------------------------------

     3&#41; Multiple heap overflows in cgi execution

     The lack of bounds checking for cgi arguments allows an attacker to
     overflow the allocated memory, possibly allowing for remote code
     execution.

     Details :
     Each argument is allocated a buffer of size MAX_PATH_LEN &#40;128 on Linux&#41;
     but the attacker is only limited by the maximum request length &#40;2048&#41;.
     The malloc&#39;ed buffer can therefore be overflowed.

     Risk : HIGH
     Successful exploitation can lead to arbitrary code execution.

     Workaround :
     Disable cgi-bin support at compile time.

     Solution :
     Update to v3.4

     -----------------------------------------------------------------------

Timeline

2005-05-18 Discovery 2005-05-19 First attempt to contact developer 2005-05-21 Second attempt 2005-05-22 Developer reply 2005-06-11 Fixed version 3.4 released and advisory published