what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ADA.image.txt

ADA.image.txt
Posted Apr 14, 2004
Authored by Dr. Insane

ADA Image Server (ImgSvr) 0.4 suffers from a buffer overflow via GET requests, directory traversal vulnerabilities, and a denial of service flaw.

tags | exploit, denial of service, overflow, vulnerability
SHA-256 | 1370cfce6a031c225513a395b16a06250d429c03c51eb6ad76a3faa9db212314

ADA.image.txt

Change Mirror Download
hello,

Advisory for ADA Image Server (ImgSvr) 0.4.


ADA Image Server (ImgSvr) 0.4 Multiple vulnerabilities


Release Date:
April 3, 2004

Severity:
High (Remote Code Execution)

Vendor:
sourceforge.net/projects/adaimgsvr/


Services Affected:
http service (1234)


Description of the product:
ADA Image Server is an emmbeded web server that is specialized in photo album publishing.
This Image server provide an http access to image content. It generate dynamic pages from
a standard directory based hierarchy, manage thumbnails, metadatas.


Vulnerabilities:
1)Buffer overflow in Get / request
2)Directory Traversal vulnerabilities
3)List directories outside WWW root
4)Dos attack

Technical Description:
Some days ago I discovered some critical vulnerabilities in ADA Image Server (ImgSvr) 0.4 that
may allow an unauthorized user to execute arbitary code and read sensitive files on the system.

1. Buffer overflow in Get / request

There is a buffer overflow in ADA image server when you send a GET request following by 2.112 characters.
A cracker may exploit this vulnerability to make your web server crash continually or even execute
arbirtray code on your system.

Get /[2.112 chars] http/1.0


2.Directory Traversal vulnerabilities

The problem happens when the attacker uses the pattern "%2f%2e%2e%2f" that deceives the checks and allows him to see
and download any file in the remote system knowing the path.

http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini


3.There is a third problem that allows a remote user to list any directory outside WWW home.

eg. http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/


4.Some days ago another bug had been published that allowed a remote user to view the content of www directory
by supplying a "%00". Using this bug we can crash the server remotely by typing this:

http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/



Workaround:
Use another product.

Pr00f of concept code:
sorry, nothing at the moment but some pr00f of concept exploit may emerge soon.



Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr






______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close