hello,

Advisory for ADA Image Server (ImgSvr) 0.4.


ADA Image Server (ImgSvr) 0.4 Multiple vulnerabilities

 
Release Date:
April 3, 2004

Severity:
High (Remote Code Execution)

Vendor:
sourceforge.net/projects/adaimgsvr/ 


Services Affected:
http service (1234)


Description of the product:
ADA Image Server is an emmbeded web server that is specialized in photo album publishing.
This Image server provide an http access to image content. It generate dynamic pages from
a standard directory based hierarchy, manage thumbnails, metadatas.


Vulnerabilities:
1)Buffer overflow in Get / request
2)Directory Traversal vulnerabilities
3)List directories outside WWW root
4)Dos attack

Technical Description:
Some days ago I discovered some critical vulnerabilities in ADA Image Server (ImgSvr) 0.4 that
may allow an unauthorized user to execute arbitary code and read sensitive files on the system.

1. Buffer overflow in Get / request

There is a buffer overflow in ADA image server when you send a GET request following by 2.112 characters.
A cracker may exploit this vulnerability to make your web server crash continually or even execute 
arbirtray code on your system.

Get /[2.112 chars] http/1.0


2.Directory Traversal vulnerabilities

The problem happens when the attacker uses the pattern "%2f%2e%2e%2f" that deceives the checks and allows him to see
and download any file in the remote system knowing the path.

http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini


3.There is a third problem that allows a remote user to list any directory outside WWW home.

eg. http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/


4.Some days ago another bug had been published that allowed a remote user to view the content of www directory
by supplying a "%00". Using this bug we can crash the server remotely by typing this:

http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/



Workaround:
Use another product.

Pr00f of concept code:
sorry, nothing at the moment but some pr00f of concept exploit may emerge soon.



Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr






______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! 
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!