Penetration Testing mailing list archives

Re: 3 pigs building web servers? hacker wolf?

From: ghandi <ghandi () mindless com>
Date: Tue, 19 Jun 2001 00:29:30 -0600 (MDT)

On Mon, 18 Jun 2001, Robert Shea wrote:

Is anyone at all familiar with the BrickServer system?
(http://brickserver.com/) I have looked over their site and the whole
thing looks pretty questionable, but a new client of ours runs it. I
have only been able to find the thttp DOS issue.

thank you,
robert


There are several problems with the BrickServer system.  The version of
thttpd shipped with it has several more issues including web directory
listings (http://www.example.com/%2e%2e/), including cgi-bin
(http://www.example.com/%2e%2e/cgi-bin/) and arbitrary file disclosure
(http://www.securityfocus.com/bid/1737).  Of course, the files that can be
read are subject to the Process-Based Security ACLs.  But, as the
webserver process needs to read .htpasswd files and cgi scripts, those are
readable and can be leveraged to gain further access.  Process-Based
Security fails when the security of the process is weak.

On the system, many things run as UID = 0 (root), but are limited by the
PBS Access Control Lists.  From shell access to the system, there used to
be at least a couple ways to bypass PBS.  IIRC, /proc tricks were used
back when SAGE had a hack-for-cash challenge.  I wouldn't be surprised if
there were still a couple of ways a UID = 0 process could escape the
restrictions of PBS.  Have they wrapped EVERY system call or entry point?
Not even Trusted Solaris got them all.  From their white paper (URL
below), it seems that the ACLs are defined on a process name or path,
there may be a way to fool this.  I would investigate procfs, signals,
mknod, chroot, exec (where file, path != argv[0]), etc.

Their white paper on PBS is at http://www.3rdpig.com/white%20paper.zip.
Note their confusion on the difference between memory leaks and buffer
overflows.  Anyway, the last version of the system I used was at DEF CON
7, so things may have changed a bit.  It would be nice if their Linux
kernel patches were released for peer review, but unfortunately that is
not the case.

--
           ghandi / ghandi () mindless com / www.dopesquad.net
       "Bein' Crazy is the least of my worries." - Jack Kerouac
          C439 2B06 D8D2 A2D8 1ABB  0A55 A61D 9057 63F5 9B1F

Current thread:

finding webroot on IIS todd + 1 (Jun 14)
- RE: finding webroot on IIS George Milliken (Jun 14)
- Re: finding webroot on IIS David Page (Jun 14)
  - Re: finding webroot on IIS David Jacoby (Jun 15)
- Re: finding webroot on IIS H D Moore (Jun 14)
  - Re: finding webroot on IIS todd + 1 (Jun 14)
- Re: finding webroot on IIS Frederic Guerin (Jun 15)
- Re: finding webroot on IIS Gary Warner (Jun 18)
  - 3 pigs building web servers? hacker wolf? Robert Shea (Jun 18)
    - Re: 3 pigs building web servers? hacker wolf? ghandi (Jun 19)
    - Re: 3 pigs building web servers? hacker wolf? Riley Hassell (Jun 19)
- <Possible follow-ups>
- RE: finding webroot on IIS Yonatan Bokovza (Jun 14)