++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! CHEROKEE WEBSERVER HAS SEVERE SECURITY HOLES! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ After an email conversation between rfp (rain.forest.puppy) and a GOBBLES Lab research, we have learned that there has recently been an outbreak in fake advisories and trojaned exploits that are being submitted to these security mailing lists. The moderators are working very hard to sort out the legitimate advisories from the immature pranks of many, and they all deserve words of thanks for their hard work. This courtesy however should not extend to the moderators of the so called full-disclosure mailing lists that delay the release of information to increase the attention to their commercial services. GOBBLES Security feels no sympathy for those moderators while they have to sort through these childish and immature pranks. This should not be interpreted as encouragement for said actions against anyone, but rather as encouragement for the hard workers who have to put up with the same crap. Always remember, full disclosure is a necessary evil, which makes it one of the few sins that God doesn't frown upon. Remember, this is the holiday season, and it's important to give... PRODUCT ******* Program: Cherokee Webserver Website: http://aurora.esi.uem.es/~alo/?action=cherokee BACKGROUND ********** After the recent discoveries of multiple remote vulnerabilities in Apache Server (www.apache.org) by security companies (chiefly NAI.com/horizon), GOBBLES members have been investigating other http servers to see if they can outperform the security of Apache Server (yes, we have developed our own remote exploits for Apache Server and are keeping them quiet for the time -- go ahead and call us filthy blackhats, we have our own personal reasons for not disclosing them at this time). We think Apache Server is a _great_ product; we're just interested in seeing how others line up against it. One of the servers we came across is Cherokee Webserver. From the author's website, I submit the following paste: alo's homepage (p1 of 2) Join www.godsmaze.org now ;-) Back to home Cherokee an extra-light web server Cherokee is an extremely fast and tiny web server. Features * Basic HTTP sever * FAST and tiny * Embedable * Runs under a chroot enviroment * Supports htdocs path in compilation * Can work as a daemon Benchmark Cherokee 0.2.0 Apache 1.3.22 Requests per second: 5503.58 [#/sec] Time per request: 9.09 [ms] Time per request: 0.18 [ms] (concurrent req) Transfer rate: 1095.36 [Kbytes/sec] Requests per second: 857.19 [#/sec] Time per request: 58.33 [ms] Time per request: 1.17 [ms] (concurrent req) Transfer rate: 366.91 [Kbytes/sec] Executable size: 7.4Kb Executable size: 504Kb Benchmark "ab" (Apache Benchmark program) executed doing 10.000 queries and 50 clients concurrently As you can see, this server brags exceptional speed. The real question is, however, is it secure? Our tests suggest it isn't. >:-) PROBLEMS ******** The first problem is a simple directory traversal bug. No exploit code is needed to demonstrate this; netcat and Internet Explorer seem to be sufficient. By adding several instances of /../ to the end of a request, one is able to traverse the entire filesystem. Notice, this server brags to run in a "chroot" environment, but by this test we see something is definately wrong. The second problem is that it does not drop privilages. Since it needs to start as root to bind to tcp 80, and does not drop privilages, there is an obvious problem. Without even doing a source code audit, we immediately realize the potential and instantaneous remote root comprimise here when used with the first problem described above; a clever penetrator who is familiar with various password storage mechanisms on Unix-basd platforms will know enough to go after files like /etc/passwd|shadow|master.passwd, then from there it's just a matter of ./john -i to become root. WORKAROUNDS *********** GOBBLES Labs highly recommends using a better http server, one that can at least attempt to brag security. Speed isn't as important as security, so don't trust any product that only brags speed. *note from GOBBLES: hey hey hey it GOBBLES hehehe all GOBBLES want to say is that he did not instruct researchers at GOBBLES Labs to investigate further into this and there probably many holes in sourcecode like bufferoverflow and format bug strings for easier exploitation but GOBBLES think after showing two root hole in product it time to move on and go to next and that GOBBLES promise to revisit it after author patch these problems, hehe, at least make it chroot! * GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters, gary coleman, fat albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly & associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono, micheal stipes, clark kent, bruce banner, ssh.com, hacked.cisco.com, thomas edison, steven king, P80 Systems, gnutella, colin powell, Joakim von Braun, #openbsd/efnet, jnathan/efnet, debian.org, mr. ed, scooby doo, spud mckenzie, sam i am, guy who wrote that bible book, george b. thomas junior, ross l. finney, maurice d. wier, john bobbit, transmeta.com, linus torvalds, naked supermodel in magazines, d'arcy gretzky, deep purple, shampoos that kill head lice, kraft.com, george clooney, jonathon swift, plan9 from outer space, penelope cruz, chuck norris, mandy moore, christina aguilera, drew barrymore, bjarne stroustrup, psychic friends network, david letterman, ~el8, jennicide, the mentor, kevin spacey, sho kosugi, michael dudikoff, HERT, anton lavey, daath, stephen hawking, the illuminati, sml@subterrain.net, spinux, efnet@ROUTE, the movie "dirty dancing", darth maul, liz taylor, barney rubble, pacman, the fantastic four, Narr0w, angrypackets.com, sinbad, jim phillips, the movie "pink flamingos" -- wonderful performance ricki lake, guy who invent drugs, skyper (you promised we be Prophile not noise, but we love you anyways), all the ninjas, charlie root for all he emails, wyatt erp, nmrc.org, paul albitz, cricket liu, kurt kerns, #!/bin/zsh, harry houdini, all security.is psychologists (hehe), guy anonymous (wrote book Maximum Linux Security on how to use free software, hehe), and all our friends and family.