Users login

Create an account »


Users login

Home » Hacking News » Savant 3.1 multiple vulnerabilities

Savant 3.1 multiple vulnerabilities

by Nikola Strahija on September 14th, 2002 Savant webserver is an OpenSource webserver that runs on Win32. It's a very interesting server but has some security issues a lot being old unpatched bugs. One of these, for example, is a directory traversal bug that has been founded on 2.1 version but seems to still exist on this 3.1 (over a year ago!). Unfortunally I have contacted the vendor two times from August the 23rd but I have not yet received a response.

2) Bug

A] Cgitest.exe overflow

The cgitest.exe program that is inserted by default in the cgi-bin
directory is vulnerable to a buffer-overflow.
The limit of acceptable characters is 128 so we need to send only 136
bytes for overwrite EBP and EIP registers and crash the server.
I don't think is possible to write a good shellcode in this case
because the bytes that go into the stack are few, however an
interesting and simple thing is to point the EIP register to
KERNEL32.DLL->ReadFile, because the server will crash totally and the
administrator will get a nice blue screen (tested on Win9x).
During the blue screen the port 80 will stay opened but the server will
not answers to client requests.

B] Content-Length crash

A nice DoS is the negative Content-Length value. The value that Savant
waits from the user is an integer and when the attacker sends a
negative number the server will crash.
However until the Windows error message is not acknowledged the server
will continue to run without problems.

C] Authorization bypassing

Uhmm the usual Win32 API problem is again our best friend and this time
it gives us access to all of the user folders in Savant server.
So adding the chars ' ' (%20) and '.' (%2e) at the end of the filename
requested we will gain full access to the password protected folders.
The other good news is that the limit of the network class is
authorized to access to the folder can be bypassed without problems
with this method (so if the admin has a set class D only access, the
attacker with any IP have full access without respecting this limit).
Note: if we want to use the space (' ') char, we must add also the '/'
char after it.


3) The Code

A] Cgitest.exe overflow

Check my web page for a tiny example that causes a blue screen and
server crash (so crash all the server and not only the single
connection). I have simply written the EIP 00409430 (that point to
KERNEL32.DLL->ReadFile but you can use KERNEL32.DLL->WriteFile too) for
having a bad DoS that crashes the server and give blue screen.

Usage: nc 80 -v -v -n

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »