Vulnerabilities > CVE-2003-0833 - Unspecified vulnerability in Webfs
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in webfs before 1.20 allows attackers to execute arbitrary code by creating directories that result in a long pathname.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 4 |
Exploit-Db
| description | WebFS 1.x Long Pathname Buffer Overrun Vulnerability. CVE-2003-0833. Remote exploit for linux platform |
| id | EDB-ID:23196 |
| last seen | 2016-02-02 |
| modified | 2003-09-29 |
| published | 2003-09-29 |
| reporter | jsk |
| source | https://www.exploit-db.com/download/23196/ |
| title | WebFS 1.x Long Pathname Buffer Overrun Vulnerability |
Nessus
NASL family Web Servers NASL id WWW_TOO_LONG_URL.NASL description The remote web server crashes when it receives a too long URL. It might be possible to make it execute arbitrary code through this flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 10320 published 1999-06-22 reporter This script is Copyright (C) 1999-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/10320 title Web Server Long URL Handling Remote Overflow DoS code # # (C) Tenable Network Security, Inc. # # Some vulnerable servers: # SmallHTTP (All versions vulnerable: 2.x Stables, 3.x Latest beta 8) # OmniHTTPd v2.09 of Omnicron (www.omnicron.ca) # MyWebServer 1.02 # atphttpd-0.4b ? # IBM Tivoli Management Framework < Currently Fixpack 2 or Patches 3.7.1-TMF-0066 # LCFD process - default port 9495) # IBM Tivoli Management Framework 3.6.x through 3.7.1 (fixed in 4.1) # Spider process - default port 94 redirected to another port. # Lucent Access Point IP Services Router (Formerly known as Xedia Router) # Oracle9iAS Web Cache/2.0.0.1.0 # TelCondex SimpleWebServer 2.06.20817 Build 3128 # WebServer 4 Everyone # WebServer 4 Everyone v1.28 (if Host field is set) # Savant Web Server 3.1 and previous # WN Server 1.18.2 through 2.0.0 (upgrade to 2.4.4) # Multitech RouteFinder 550 VPN (upgrade to RF550VPN_V463) # Web Server 4D/eCommerce 3.5.3 # ZBServer Pro 1.50-r13 # BRS WebWeaver 1.03 # U.S. Robotics Broadband-Router 8000A/8000-2 (USR848000A-02) running firmware version 2.5 # Polycomm ViaVideo Web component 2.2 & 3.0 # GazTek HTTP Daemon v1.4-3 # WebFS 1.20 # UltraVNC <= 1.0.1 # ######################## # References: ######################## # # Date: Sat, 12 Oct 2002 07:49:52 +0200 # From:"Marc Ruef" <[email protected]> # To:[email protected] # Subject: Long URL crashes My Web Server 1.0.2 # # Date: Sun, 13 Oct 2002 15:00:18 +0200 # From:"Marc Ruef" <[email protected]> # To:[email protected] # Subject: Long URL causes TelCondex SimpleWebServer to crash # # Date: Mon, 14 Oct 2002 08:27:54 +1300 (NZDT) # From:[email protected] # To:[email protected] # Subject: Security vulnerabilities in Polycom ViaVideo Web component # # From:"David Endler" <[email protected]> # To:[email protected] # Date: Tue, 15 Oct 2002 13:12:35 -0400 # Subject: iDEFENSE Security Advisory 10.15.02: DoS and Directory Traversal Vulnerabilities in WebServer 4 Everyone # # Delivered-To: mailing list [email protected] # Date: Tue, 10 Sep 2002 15:39:02 -0700 # Message-ID: <[email protected]> # From: "Foundstone Labs" <[email protected]> # To: "announce" <[email protected]> # Subject: Foundstone Labs Advisory - Buffer Overflow in Savant Web Server # # From:"David Endler" <[email protected]> # To: [email protected] # Date: Mon, 30 Sep 2002 10:09:59 -0400 # Subject: iDEFENSE Security Advisory 09.30.2002: Buffer Overflow in WN Server # # From: "Tamer Sahin" <[email protected]> # To: [email protected] # Subject: Web Server 4D/eCommerce 3.5.3 DoS Vulnerability # Date: Tue, 15 Jan 2002 00:35:59 +0200 # Affiliation: http://www.securityoffice.net # # From: "Tamer Sahin" <[email protected]> # To: [email protected] # Subject: ZBServer Pro DoS Vulnerability # Date: Tue, 15 Jan 2002 04:44:37 +0200 # Affiliation: http://www.securityoffice.net # # Date: Mon, 14 Oct 2002 08:27:54 +1300 (NZDT) # From: [email protected] # To: [email protected] # Subject: Security vulnerabilities in Polycom ViaVideo Web component # # Date: Sat, 12 Oct 2002 17:02:31 -0700 # To: [email protected] # Subject: Pyramid Research Project - ghttpd security advisorie # From: [email protected] # # Date: Tue Apr 04 2006 - 14:24:13 CDT # To: [email protected] # Subject: Buffer-overflow in Ultr@VNC 1.0.1 viewer and server # From: Luigi Auriemma (aluigiautistici.org) # ######################## include("compat.inc"); if (description) { script_id(10320); script_version("1.75"); script_cvs_date("Date: 2018/08/07 16:46:51"); script_cve_id( "CVE-2000-0002", "CVE-2000-0065", "CVE-2000-0571", "CVE-2000-0641", "CVE-2001-0820", "CVE-2001-0836", "CVE-2001-1250", "CVE-2002-0123", "CVE-2002-1003", "CVE-2002-1011", "CVE-2002-1012", "CVE-2002-1120", "CVE-2002-1166", "CVE-2002-1212", "CVE-2002-1905", "CVE-2002-2149", "CVE-2003-0125", "CVE-2003-0833", "CVE-2004-2299", "CVE-2005-1173", "CVE-2006-1652" ); script_bugtraq_id( 889, 1423, 2979, 6994, 7067, 7280, 8726, 17378 ); script_name(english:"Web Server Long URL Handling Remote Overflow DoS"); script_summary(english:"Web server buffer overflow"); script_set_attribute(attribute:"synopsis", value: "The remote web server may be affected by a buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "The remote web server crashes when it receives a too long URL. It might be possible to make it execute arbitrary code through this flaw."); script_set_attribute(attribute:"solution", value:"Contact the web server's author / vendor for a patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'UltraVNC 1.0.1 Client Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); # All the www_too_long_*.nasl scripts were first declared as # ACT_DESTRUCTIVE_ATTACK, but many web servers are vulnerable to them: # The web server might be killed by those generic tests before Nessus # has a chance to perform known attacks for which a patch exists # As ACT_DENIAL are performed one at a time (not in parallel), this reduces # the risk of false positives. script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc."); script_family(english:"Web Servers"); script_dependencie('http_version.nasl', 'www_multiple_get.nasl'); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www",80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, embedded:1); if (http_is_dead(port:port))exit(1, "The web server on port "+port+" is dead"); # Try to avoid FP on CISCO 7940 phone max = get_kb_item('www/multiple_get/'+port); if (max) { imax = max * 2 / 3; if (imax < 1) imax = 1; else if (imax > 5) imax = 5; } else imax = 5; debug_print('imax=',imax,'\n'); # vWebServer and Small HTTP are vulnerable *if* the URL is requested # a couple of times. Ref: VULN-DEV & BUGTRAQ (2001-09-29) for (i = 0; i < imax; i = i + 1) { r = http_send_recv3(port: port, method: 'GET', item: strcat('/', crap(65535))); } if(http_is_dead(port: port, retry:3)) { security_hole(port); set_kb_item(name:"www/too_long_url_crash", value:TRUE); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-392.NASL description Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP server for static content. CAN-2003-0832 - When virtual hosting is enabled, a remote client could specify last seen 2020-06-01 modified 2020-06-02 plugin id 15229 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15229 title Debian DSA-392-1 : webfs - buffer overflows, file and directory exposure code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-392. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15229); script_version("1.24"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0832", "CVE-2003-0833"); script_bugtraq_id(8724, 8726); script_xref(name:"DSA", value:"392"); script_name(english:"Debian DSA-392-1 : webfs - buffer overflows, file and directory exposure"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP server for static content. CAN-2003-0832 - When virtual hosting is enabled, a remote client could specify '..' as the hostname in a request, allowing retrieval of directory listings or files above the document root. CAN-2003-0833 - A long pathname could overflow a buffer allocated on the stack, allowing execution of arbitrary code. In order to exploit this vulnerability, it would be necessary to be able to create directories on the server in a location which could be accessed by the web server. In conjunction with CAN-2003-0832, this could be a world-writable directory such as /var/tmp." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-392" ); script_set_attribute( attribute:"solution", value: "For the current stable distribution (woody) these problems have been fixed in version 1.17.2. We recommend that you update your webfs package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:webfs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"webfs", reference:"1.17.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");