####################################################################### Luigi Auriemma Application: WebMod http://www.djeyl.net/w.php Versions: <= 0.48 Platforms: Windows and Linux Bugs: A] directory traversal B] Cookie buffer-overflow C] parser.cpp arbitrary memory writing D] scripts source disclosure Exploitation: remote Date: 03 May 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== WebMod is an open source MetaMod plugin which acts as a web server for Half-Life running on the equivalent TCP port of the UDP one used by the game. ####################################################################### ======= 2) Bugs ======= ---------------------- A] directory traversal ---------------------- WebMod uses an anti-directory traversal check which searchs for any "../" pattern in the HTTP request of the client. So it's enough to use a "..\" pattern to bypass the check and being able to download any file from the disk where Half-Life is running included the configuration files of the game server (like ..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). Note that this bug works only on Windows servers. >From server.cpp: void clientHandle(int connfd, httpquery_t *query, int tid) ... if(strstr(str,"../")) // hack attempt, display index page { str[0]='\0'; } ------------------------- B] Cookie buffer-overflow ------------------------- A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a stack based buffer-overflow. >From server.cpp: void connectHandle(void *data) { char *input; char buf[MYSOCK_BUFLEN+1]; ... for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++) buf[j]=input[i]; -------------------------------------- C] parser.cpp arbitrary memory writing -------------------------------------- The functions in parser.cpp are affected by some memory corruption vulnerabilities with different effects depending by the type of variable/script used. In short a value longer than MAX_FILE_SIZE (16384) bytes can lead to the writing of custom data in a custom memory address through strcat (auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory access (the rconpass parameter of auth.w) and so on. ---------------------------- D] scripts source disclosure ---------------------------- Adding a dot at the end of the requested URI allows the viewing of the script source code instead of executing it. This bug (which should work only on FAT/NTFS filesystems) can be considered a security vulnerability ONLY if the server runs custom scripts. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/webmodz.zip nc SERVER PORT -v -v < webmodz1.txt nc SERVER PORT -v -v < webmodz2.txt nc SERVER PORT -v -v < webmodz3.txt nc SERVER PORT -v -v < webmodz4.txt ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org