Twenty Year Anniversary

activePost.txt

activePost.txt
Posted Sep 29, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

ActivePost Standard versions 3.1 and below suffer from a denial of service flaw, a directory traversal attack, and conference password and path disclosure vulnerabilities.

tags | advisory, denial of service, vulnerability
MD5 | 32e48c6d6045ac6267a3a3b58cc4fef0

activePost.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: ActivePost Standard
http://www.activepost.net
Versions: <= 3.1
Platforms: Windows
Bugs: - File-Server crash
- File-server directory traversal and path disclosure
- conference password disclosure
Risk: critical
Exploitation: remote, versus server
(only the third bug affects clients too)
Date: 23 September 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


ActivePost Standard is an interesting communication program for
companies.
It is constituited by the clients and a central server used for login,
messaging, chat, files transfer and conferences.


#######################################################################

=======
2) Bugs
=======


--------------------
A] File-Server crash
--------------------

The file-server runs on port 6004 and is used to upload files on the
server so they can be downloaded by the target users.
The problem is that an attacker is able to crash the file-server using
a filename longer than 4074 chars.
The file-server protocol is constituited by data blocks of 4104 bytes
and doesn't seem possible to cause more damage.


------------------------------------------------------
B] File-server directory traversal and path disclosure
------------------------------------------------------

This is the most critical vulnerability because lets an attacker to
upload malicious files everywhere in the disk on which is installed the
ActivePost server overwriting any existing file.
That happens exploiting a directory traversal bug in the name of the
file to upload using the slash char.
Example: /../../../windows/calc.exe
The complete real path in which the remote file has been written is
ever visible after each upload because this information is directly
sent by the server.


---------------------------------
C] conference password disclosure
---------------------------------

Everytime an user enters in the conference menu, the server sends all
the informations of the available rooms included the plain-text
passwords of those protected.
Check the following example data received from the server:

4703 0000 0000 0000 0000 0000 0000 0000 G...............
0000 0000 0a72 6f6f 6d20 7469 746c 6500 .....room title.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0001 3100 ..............1.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0e73 6563 7265 7470 6173 7377 6f72 ...secretpasswor <===
6400 0000 0000 0000 0000 0000 0000 0000 d...............
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0003 3832 ..............82
3100 0000 0000 0000 0000 0000 0000 0000 1...............
0000 0138 0000 0000 0000 0000 0000 0000 ...8............
0000 0000 0000 0017 6465 7363 7269 7074 ........descript
696f 6e20 6f66 2074 6865 2072 6f6f 6d00 ion of the room.
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 0000 0000 0000 0000 0000 0000 ................
0000 0000 ....


#######################################################################

===========
3) The Code
===========


A] http://aluigi.altervista.org/poc/actpboom.zip

B] http://aluigi.altervista.org/poc/actpup.zip

C] launch a sniffer before entering in the conference menu


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    5 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close