RobTex Directory Traversal

nitr0s · 27-04-2001 10:17AM #1

Last week a directory traversal problem was posted to bugtraq.
http://www.securityfocus.com/templates/archive.pike?list=1&fromthread=0&mid=178935&threads=0&start=2001-04-22&end=2001-04-28&

An update was made available but there is still a few problems.The following links will also work with the latest release tested on NT.The default installation is to X:\Viking\
The root directory is X:\Viking\http\
Where X is the hard drive.
Win.ini is an example, any file that exists can be retrieved.

http://www.viking-server.com/%5c./%2e%2e/%2e%2e/winnt/win.ini

http://www.viking-server.com/%2e%2e/%2e%2e/winnt/win.ini

http://www.viking-server.com/%5c%2e%2e/%2e/%2e%2e/winnt/win.ini

http://www.viking-server.com/%5c%2e%2e/%2e%2e/winnt/win.ini

The solution to the problem is to edit httpd.cnf, insert the following:

Wild http:*%2e* x-viking:/na

There is also a way around this which I won't mention yet..
Its a flaw in the HTTP protocol that they implement.

Hexadecimal examples are used because Internet Explorer strips ([backslashes] \ %5c) and ([dots] . %2e]) from the URL.

%5c must be used because the original discovery checks for backslashes in the URL.

There is also a DoS attack which I won't mention because of the conditions needed and the fact that it simply restarts.

http://www.robtex.com/

nitr0s · 28-04-2001 01:56AM

If you dissassemble the Viking server, you will notice that they implement their own "wee" HTTP protocol which contains alot of bugs.
X-Viking: is an acceptable header making the above current problem of directory traversal exploitable (no details, if you cared)regardless of patches and configuration.It doesn't matter that the remote system has the appropriate configuration or patch.
Its a matter of research.
As an example, the proxy server works like this:

c:\nc -vn 127.0.0.1 8080

GET / HTTP/1.1
Host: locahost:8080

The proxy server will take the "Host" header as the client and connect locally in a continuous loop consuming all available memory before crashing the system the proxy runs on.

This is simple locally using a web browser,
http://localhost:8080/
,remotely would just mean supplying the "host" header with localhost:8080 as the destination.

The system running Viking would loop connections to itself requesting what you had sent it, eventually eating all available memeory and halting the system it operates on.

Its basically a DoS attack, yeah..its lame.
Requesting over 100kb's to the webserver simply restarts the application.

RobTex Directory Traversal

Comments