what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ADA.image.txt

ADA.image.txt
Posted Apr 14, 2004
Authored by Dr. Insane

ADA Image Server (ImgSvr) 0.4 suffers from a buffer overflow via GET requests, directory traversal vulnerabilities, and a denial of service flaw.

tags | exploit, denial of service, overflow, vulnerability
SHA-256 | 1370cfce6a031c225513a395b16a06250d429c03c51eb6ad76a3faa9db212314

ADA.image.txt

Change Mirror Download
hello,

Advisory for ADA Image Server (ImgSvr) 0.4.


ADA Image Server (ImgSvr) 0.4 Multiple vulnerabilities


Release Date:
April 3, 2004

Severity:
High (Remote Code Execution)

Vendor:
sourceforge.net/projects/adaimgsvr/


Services Affected:
http service (1234)


Description of the product:
ADA Image Server is an emmbeded web server that is specialized in photo album publishing.
This Image server provide an http access to image content. It generate dynamic pages from
a standard directory based hierarchy, manage thumbnails, metadatas.


Vulnerabilities:
1)Buffer overflow in Get / request
2)Directory Traversal vulnerabilities
3)List directories outside WWW root
4)Dos attack

Technical Description:
Some days ago I discovered some critical vulnerabilities in ADA Image Server (ImgSvr) 0.4 that
may allow an unauthorized user to execute arbitary code and read sensitive files on the system.

1. Buffer overflow in Get / request

There is a buffer overflow in ADA image server when you send a GET request following by 2.112 characters.
A cracker may exploit this vulnerability to make your web server crash continually or even execute
arbirtray code on your system.

Get /[2.112 chars] http/1.0


2.Directory Traversal vulnerabilities

The problem happens when the attacker uses the pattern "%2f%2e%2e%2f" that deceives the checks and allows him to see
and download any file in the remote system knowing the path.

http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2f%2f%2e%2e%2fboot.ini


3.There is a third problem that allows a remote user to list any directory outside WWW home.

eg. http://[host]:1234/%2f%2e%2e%2f%2f%2e%2e%2f/


4.Some days ago another bug had been published that allowed a remote user to view the content of www directory
by supplying a "%00". Using this bug we can crash the server remotely by typing this:

http://127.0.0.1:1234/%00/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe
/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/imgsvr.exe/



Workaround:
Use another product.

Pr00f of concept code:
sorry, nothing at the moment but some pr00f of concept exploit may emerge soon.



Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr






______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones!
http://www.pathfinder.gr - ÄùñåÜí mail áðü ôïí Pathfinder!
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    11 Files
  • 30
    Jun 30th
    7 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close