Vulnerabilities > CVE-2003-0338 - Directory Traversal vulnerability in Wsmp3 Daemon and Wsmp3 web Server

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

wsmp3

nessus

exploit available

NVD

Published: 2003-05-21

Updated: 2016-10-18

Summary

Directory traversal vulnerability in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allows remote attackers to read and execute arbitrary files via .. (dot dot) sequences in HTTP GET or POST requests.

Vulnerable Configurations

Part	Description	Count
Application	Wsmp3 Wsmp3 Wsmp3 Daemon 0.0.8 Wsmp3 Wsmp3 Daemon 0.0.9 Wsmp3 Wsmp3 Daemon 0.0.10 Wsmp3 Wsmp3 WEB Server 0.0.1 Wsmp3 Wsmp3 WEB Server 0.0.2 Wsmp3 Wsmp3 WEB Server 0.0.3 Wsmp3 Wsmp3 WEB Server 0.0.4 Wsmp3 Wsmp3 WEB Server 0.0.5 Wsmp3 Wsmp3 WEB Server 0.0.6 Wsmp3 Wsmp3 WEB Server 0.0.7	10

Exploit-Db

description	WSMP3 0.0.x Remote Command Execution Vulnerability. CVE-2003-0338. Remote exploit for linux platform
id	EDB-ID:22623
last seen	2016-02-02
modified	2003-05-21
published	2003-05-21
reporter	dong-h0un U
source	https://www.exploit-db.com/download/22623/
title	WSMP3 0.0.x - Remote Command Execution Vulnerability

Nessus

NASL family	Web Servers
NASL id	WSMP3D_CMD_EXEC.NASL
description	The remote host is using wsmp3d, an MP3 streaming web server. There is a flaw in this server that allows anyone to execute arbitrary commands and read arbitrary files with the privileges this server is running with.
last seen	2020-06-01
modified	2020-06-02
plugin id	11645
published	2003-05-21
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11645
title	WsMp3 Daemon (WsMp3d) HTTP Traversal Arbitrary File Execution/Access
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11645); script_version ("1.17"); script_cve_id("CVE-2003-0338"); script_name(english:"WsMp3 Daemon (WsMp3d) HTTP Traversal Arbitrary File Execution/Access"); script_summary(english:"Attempts to execute /bin/id"); script_set_attribute(attribute:"synopsis", value: "The remote host is running a MP3 streaming web server with a directory traversal vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is using wsmp3d, an MP3 streaming web server. There is a flaw in this server that allows anyone to execute arbitrary commands and read arbitrary files with the privileges this server is running with." ); script_set_attribute( attribute:"see_also", value:"https://seclists.org/vulnwatch/2003/q2/79" ); script_set_attribute( attribute:"solution", value:"There is no known solution at this time." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/21"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/21"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:wsmp3:wsmp3_daemon"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 8000); script_exclude_keys("Settings/disable_cgi_scanning"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); ports = add_port_in_list(list:get_kb_list("Services/www"), port:8000); foreach port (ports) { if ( ! get_http_banner(port:port) ) continue; w = http_send_recv3(method:"GET", item:"/cmd_ver", port:port); if (isnull(w)) continue; res = strcat(w[0], w[1], '\r\n', w[2]); if ( "WsMp3" >< res ) { dirs = get_kb_list(string("www/", port, "/content/directories")); if(!isnull(dirs)) { dirs = make_list(dirs); dirs = list_uniq(make_list(dirs[0], cgi_dirs())); } else dirs = cgi_dirs(); foreach d (dirs) { # version: 10 ? w = http_send_recv3(method:"POST", port: port, item: d+"/../../../../../../../../../../../../bin/id"); if (isnull(w)) break; r = strcat(w[0], w[1], '\r\n', w[2]); if("uid=" >< r && egrep(pattern:"uid=[0-9].gid=[0-9]", string:r) ) { security_hole(port); exit(0); } if("id: Not implemented" >< r) { # version:10 ? w = http_send_recv3(method:"POST", port:port, item: d+"/../../../../../../../../../../../../usr/bin/id"); if (isnull(w)) break; r = strcat(w[0], w[1], '\r\n', w[2]); if("uid=" >< r && egrep(pattern:"uid=[0-9].gid=[0-9]", string:r) ) { security_hole(port); exit(0); } } } } }

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References