Multiple vulnerabilities in Pico Server (pServ) v3.3
Multiple vulnerabilities in Pico Server (pServ) v3.3
discovered by Raphaël Rigo
Product: Pico Server (pServ)
Affected Version: 3.3 (verified), <=3.3 probably too
Not affected Version: 3.4
OS affected: all
Risk: critical
Remote Exploit: yes
URL: http://pserv.sourceforge.net/
Overview
========
Pico Server is a small web server. It is meant to be portable and configurable.
* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyser)
* forking or single-connection at choice
Pico Server (pServ) is written in portable C (K&R style so it can compile on
older compilers too) and sports several options that by means of #define
statements can customize the behaviour, the performance and the feature set so
to be able to fit better the the requisites.
Vulnerabilities
===============
1) Directory traversal
A bug in the directory parsing code allows the attacker to access any
directory the server has the right to access.
Details :
pServ computes the depth of the directory the user tries to access in
the
variable named depthCount. This counts is decreased when a /../ is
encountered, unfortunately, it is also increased when /./ is
encountered, allowing the attacker to use a /./ for each /../ to make
sure depthCount is not negative.
Risk : HIGH
The attacker may gain important information about the system that could
lead to other attacks.
Proof of concept :
access : http://www.example.com/./../
Workaround :
There is no workaround for this vulnerability.
Solution :
Update to v3.4
-----------------------------------------------------------------------
2) Remote command execution
The directory traversal vulnerability described above also enables
remote command execution. This may help an attacker to compromise the
server.
Details :
pServ considers every request beginning with /cgi-bin/ as a script
execution.
Risk : CRITICAL
The attacker may use this vulnerability to destroy data or for other
attacks (i.e. use wget to download root exploits).
Proof of concept :
access : http://www.example.com/cgi-bin/./.././../usr/bin/ls
Workaround :
Disable cgi-bin support at compile time.
Solution :
Update to v3.4
-----------------------------------------------------------------------
3) Multiple heap overflows in cgi execution
The lack of bounds checking for cgi arguments allows an attacker to
overflow the allocated memory, possibly allowing for remote code
execution.
Details :
Each argument is allocated a buffer of size MAX_PATH_LEN (128 on Linux)
but the attacker is only limited by the maximum request length (2048).
The malloc'ed buffer can therefore be overflowed.
Risk : HIGH
Successful exploitation can lead to arbitrary code execution.
Workaround :
Disable cgi-bin support at compile time.
Solution :
Update to v3.4
-----------------------------------------------------------------------
Timeline
========
2005-05-18 Discovery
2005-05-19 First attempt to contact developer
2005-05-21 Second attempt
2005-05-22 Developer reply
2005-06-11 Fixed version 3.4 released and advisory published