-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers1. *Advisory Information*Title: Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web ServersAdvisory Id: CORE-2010-0121Advisory URL:http://www.coresecurity.com/content/filename-pseudonyms-vulnerabilitiesDate published: 2010-02-05Date of last update: 2010-02-05Vendors contacted: Cherokee team, Nginx team, Mongoose teamRelease mode: User release2. *Vulnerability Information*Class: Improper Handling of Exceptional Conditions [CWE-755], Pathtraversal [CWE-22]Impact: Security bypassRemotely Exploitable: YesLocally Exploitable: NoBugtraq ID: N/ACVE Name: N/A3. *Vulnerability Description*When a file is created on a Windows system, a DOS-compatible 8.3 shortfile name (hereafter referred to as '8.3 alias') is generated forbackwards compatibility reasons. Both names can be used to refer to thesame file. Applications which allow users to specify file names onWindows systems should be aware of these aliases and handle themappropriately.Often, by using 8.3 aliases for files, one can bypass IDS/IPS detection,and evade filters and file restrictions. This can be a result of thefact that only the long versions of file and folder names will berestricted and the alias will not match the long filename.Referencing files using their 8.3 aliases can even change how the filesare handled, due to truncation of the file extension in the event thatthe file extension is longer than three characters. This problem isexacerbated by the fact that intermediary systems used for things likeload balancing and caching do not have access to the actual file systembeing accessed and need to convert any filenames and pathnames withrestrictions to their 8.3 alias before comparing to user data, which,given the presence of other files or folders on the system with similarnames, may not be possible.This advisory describes multiple vulnerabilities based on quirks in howWindows handles file names. The affected software is the Windows versionof the following web servers: . Nginx Web Server [1]. The way Nginx handles files may differ whenthey are requested using their 8.3 alias, and short file or path namesare not correctly handled when applying file handling rules or accessrestrictions. By abusing of these flaws an attacker can bypass securityoptions implemented in the web server. For instance, 'file.shtml' willbecome 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'file, not a '.shtml' file. The result of this is that instead ofprocessing SSI directives as would normally be the case with a '.shtml'file, the file would be served unprocessed. Additionally, Nginx does notcorrectly handle extraneous spaces after file extensions when applyingpreprocessing rules or access restrictions. . Cherokee Web Server [2]. On Cherokee Web Server for Windows, shortfile and folder names are not correctly handled when applying filehandling rules, IP access restrictions or authentication rules.Extraneous trailing spaces in file names are not correctly handled whenapplying file handling rules or access restrictions. By abusing of theseflaws, Cherokee configuration folders can be accessed from any IP,without authentication bypassing the web server security protectionmechanisms. . Mongoose Web Server [3]. Mongoose does not correctly handle Windowsshort file names (and folder names) when applying preprocessing rules oraccess restrictions. As a result, an attacker can bypass the web serversecurity protection mechanisms, and protected files can be accessedunprocessed without authentication. . LightTPD Web Server. The WLMP build of LightTPD for Windows [4]does not correctly handle Windows short file or path names when applyingpreprocessing rules, file extension restrictions or access restrictions.It also does not correctly handle extraneous trailing periods whenapplying file extension restrictions, but does properly applypreprocessing rules.4. *Vulnerable packages* . Nginx Web Server v0.7.63 . Nginx Web Server v0.8.29 . Cherokee Web Server v0.99.28 . Mongoose Web Server v2.8 . WLMP web server package for Windows v1.1.6.1171 . Older versions are probably affected too, but they were not checked.5. *Non-vulnerable packages* . Nginx Web Server v0.8.33 . Contact Cherokee, Mongoose and WLMP Web Server projects foradditional information.6. *Vendor Information, Solutions and Workarounds*Attacks using 8.3 aliases can be mitigated by turning off 8.3 aliasgeneration, by setting the value of 'NtfsDisable8dot3NameCreation' to 1in 'HKLM/System/CurrentControlSet/Control/FileSystem'.7. *Credits*These vulnerabilities were discovered and researched by Dan Crowley fromCore Security Technologies.8. *Technical Description / Proof of Concept Code*8.1. *Nginx Web Server*The following configuration snippet for Nginx Web Server will processany file with an extension of '.phtml' or '.php' by passing it toanother service running locally on port 8080 for processing. It willdeny requests for files beginning with '.ht' and the directory'longfoldername'./-----location ~ /.php$ {proxy_pass http://127.0.0.1:8080;}location ~ /.phtml$ {proxy_pass http://127.0.0.1:8080;}location ~ //.ht {deny all;}#deny longfoldername directory explicitlylocation ~ /longfoldername/ {deny all;}- -----/ The 'longfoldername' folder can be accessed when using the following URI:/-----http://www.example.com/LONGFO~1/- -----/ Files denied by matching the extension or the file name can be accessedusing a similar technique. A file named '.htpasswd' could be retrievedas demonstrated below:/-----http://www.example.com/HTPASS~1- -----/ Nginx Web Server will serve the unprocessed source code for filesnormally intended to be preprocessed when using URIs similar to thefollowing (these examples assume the presence of the files 'file.phtml'and 'file.php':/-----http://www.example.com/FILE~1.PHThttp://www.example.com/file.php%20- -----/ Similarly, if a file can be uploaded whose extension, when truncated tothree characters, matches an extension which Nginx is set to process ascode, it can be run as code by referring to it with an 8.3 alias. Forinstance, if a file named 'file.phpx' is uploaded to the webroot, it canbe executed as PHP code with the following URI:/-----http://www.example.com/FILE~1.PHP- -----/8.2. *Cherokee Web Server*The following configuration snippet for Cherokee Web Server will allowonly requests from '1.2.3.4' to reach the directory 'longfoldername' andadditionally, requires a password defined in '/ProgramFiles/Octality/Cherokee/etc/passwd' in order to gain access./-----vserver!1!rule!1!match = directoryvserver!1!rule!1!match!directory = /longfoldernamevserver!1!rule!1!match!allow_from = 1.2.3.4vserver!1!rule!1!auth = plainvserver!1!rule!1!auth!methods = basicvserver!1!rule!1!auth!passwdfile = /ProgramFiles/Octality/Cherokee/etc/passwdvserver!1!rule!1!auth!realm = secret- -----/ The folder can be accessed from any IP, without authentication, whenaccessing the file using either of the following URIs:/-----http://www.example.com/longfoldername./http://www.example.com/LONGFO~1/- -----/ Files denied by matching the extension or the file name can be accessedusing similar techniques, as demonstrated below:/-----http://www.example.com/longfilename.inc.http://www.example.com/longfilename.inc%20http://www.example.com/LONGFI~1.INC- -----/In the following rule, the extensions '.php' and '.phtml' are bothconfigured to be handled by FastCGI and preprocessed before being served./-----vserver!1!rule!99999!match = extensionsvserver!1!rule!99999!match!extensions = php,phtmlvserver!1!rule!99999!encoder!gzip = 1vserver!1!rule!99999!handler = fcgivserver!1!rule!99999!handler!balancer = round_robinvserver!1!rule!99999!handler!balancer!source!1 = 1- -----/ Cherokee Web Server will serve the unprocessed source code for thesefile extensions when using URIs similar to the following:/-----http://www.example.com/EXAMPL~1.PHThttp://www.example.com/example.phtml%2ehttp://www.example.com/example.php%20- -----/ Similarly, if a file can be uploaded whose extension, when truncated tothree characters, matches an extension which Cherokee is set to processas code, it can be run as code by referring to it with an 8.3 alias. Forinstance, if a file named 'file.phpx' is uploaded to the webroot, it canbe executed as PHP code with the following URI:/-----http://www.example.com/FILE~1.PHP- -----/8.3. *Mongoose Web Server*The following configuration snippet will cause Mongoose to process fileswith extensions of '.php' or '.phtml' as PHP code, and files withextensions of '.shtml' will be processed for SSI directives. It willalso require a password (stored in 'C:/passwords.txt') when attemptingto access the folder '/longfoldername'./-----cgi_extphp,phtmlssi_extshtmlprotect/longfoldername/=C:/passwords.txt- -----/ Given that the files 'file.phtml' and 'file.shtml' exist and the folder'/longfoldername' exists, these items can be accessed unprocessed,without authentication, using the following URIs:/-----http://www.example.com/LONGFO~1/http://www.example.com/FILE~1.PHThttp://www.example.com/FILE~1.SHT- -----/ Similarly, if a file can be uploaded whose extension, when truncated tothree characters, matches an extension which Mongoose is set to processas code, it can be run as code by referring to it with an 8.3 alias. Forinstance, if a file named 'file.phpx' is uploaded to the webroot, it canbe executed as PHP code with the following URI:/-----http://www.example.com/FILE~1.PHP- -----/8.4. *LightTPD Web Server (WLMP package)*The following configuration snippet for WLMP will forbid any file withthe extensions '.inc' or '.exte', attempt to process files with a'.phtml' or '.php' extension for PHP code, and authenticate usersattempting to access the directory '/longfoldername'./-----## deny access the file-extensions## ~ is for backupfiles from vi, emacs, joe, ...# .inc is often used for code includes which should in general not be part# of the document-rooturl.access-deny = ( ".inc", ".exte" )# which extensions should not be handle via static-file transfer## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgistatic-file.exclude-extensions = ( ".phtml" )#### CGI modulecgi.assign = ( ".phtml"=> "C:/WLMP/PHP/php-cgi.exe", ".php"=>"C:/WLMP/PHP/php-cgi.exe" )auth.backend = "plain"auth.backend.plain.userfile = "C:/WLMP/LightTPD/conf/lighttpd-auth.conf"auth.require = ( "/longfoldername/" =>("method" => "basic","realm" => "Restricted folder","require" => "user=admin"))- -----/ The folder '/longfoldername' can be accessed without authentication,when accessing the file using the following URI:/-----http://www.example.com/LONGFO~1/- -----/ The unprocessed contents of a '.inc', '.phtml', or '.exte' file underthis configuration could be accessed using URIs like the following(these URIs assume files named 'file.inc', 'longfilename.exte' and'file.phtml' exist:/-----http://www.example.com/file.inc.http://www.example.com/longfilename.exte%20http://www.example.com/FILE~1.PHT- -----/ Similarly, if a file can be uploaded whose extension, when truncated tothree characters, matches an extension which LightTPD is set to processas code, it can be run as code by referring to it with an 8.3 alias. Forinstance, if a file named 'file.phpx' is uploaded to the webroot, it canbe executed as PHP code with the following URI:/-----http://www.example.com/FILE~1.PHP- -----/9. *Report Timeline*. 2010-01-12:Core Security Technologies notifies the Cherokee, Nginx and Mongooseteams of the vulnerability. Core also informs that Dan Crowley will begiving a presentation explaining these flaws at the security conferenceShmoocon 2010 [5].. 2010-01-12:The Cherokee and Mongoose teams ask Core for a technical description ofthe vulnerability.. 2010-01-12:Technical details sent to Cherokee and Mongoose teams by Core.. 2010-01-12:Cherokee team notifies Core that the issues have been evaluated andconsidered security vulnerabilities. Cherokee team also informs us thatthey are not currently shipping Windows binaries because they are awareof all this sort of issues. The Windows port has not received muchattention for the last few years and it is far from being ready forproduction. Cherokee team also states that they will link Core advisoryfrom their bug-tracker as soon as it is published. Currently the Windowsport is still low-priority for Cherokee project.. 2010-01-13:The Nginx team asks Core for a technical description of the vulnerability.. 2010-01-13:Technical details sent to Nginx team by Core.. 2010-01-15:Nginx team informs us that the investigation about the reported issueshas finished, the issues have been evaluated and Nginx team agrees thatthey are security vulnerabilities. The Nginx team also notifies us thatthey will fix it in next versions that will be released on Jan 18 or 25.. 2010-02-01:Nginx team releases a new version of the web server (nginx-0.8.33) [6].. 2010-02-05:The flaws are disclosed by Dan Crowley at the security conferenceShmoocon 2010 [5].. 2010-02-05:The advisory CORE-2010-0121 is published.10. *References*[1] Nginx Web Server. http://wiki.nginx.org/.[2] Cherokee Project. http://www.cherokee-project.com/.[3] Mongoose project. http://code.google.com/p/mongoose/.[4] WMLP project. http://en.wlmp-project.net/.[5] Shmoocon 2010. http://www.shmoocon.org/presentations-all.html.[6] Nginx mail list.http://nginx-maillist.blogspot.com/2010/02/nginx-0833.html.11. *About CoreLabs*CoreLabs, the research center of Core Security Technologies, is chargedwith anticipating the future needs and requirements for informationsecurity technologies. We conduct our research in several importantareas of computer security including system vulnerabilities, cyberattack planning and simulation, source code auditing, and cryptography.Our results include problem formalization, identification ofvulnerabilities, novel solutions and prototypes for new technologies.CoreLabs regularly publishes security advisories, technical papers,project information and shared software tools for public use at:http://www.coresecurity.com/corelabs.12. *About Core Security Technologies*Core Security Technologies develops strategic solutions that helpsecurity-conscious organizations worldwide develop and maintain aproactive process for securing their networks. The company's flagshipproduct, CORE IMPACT, is the most comprehensive product for performingenterprise security assurance testing. CORE IMPACT evaluates network,endpoint and end-user vulnerabilities and identifies what resources areexposed. It enables organizations to determine if current securityinvestments are detecting and preventing attacks. Core SecurityTechnologies augments its leading technology solution with world-classsecurity consulting services, including penetration testing and softwaresecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, CoreSecurity Technologies can be reached at 617-399-6980 or on the Web athttp://www.coresecurity.com.13. *Disclaimer*The contents of this advisory are copyright (c) 2010 Core SecurityTechnologies and (c) 2010 CoreLabs, and may be distributed freelyprovided that no fee is charged for this distribution and proper creditis given.14. *PGP/GPG Keys*This advisory has been signed with the GPG key of Core SecurityTechnologies advisories team, which is available for download athttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.4.8 (MingW32)Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/iEYEARECAAYFAktsincACgkQyNibggitWa3Z5ACfYMSjRozwndnvWAldcCRo5W5CkUEAnjY2dmFWup/6s1GV9vALr3u1Wbfy=MTyQ-----END PGP SIGNATURE-----_______________________________________________Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.htmlHosted and sponsored by Secunia - http://secunia.com/
