Directory Browsing
Assume a Web application allows a user to access a set of reports. The
path to the reports directory may be something like
web/username/reports. If the username is supplied via a hidden field, an
attacker could insert a bogus username such as ../../../../../WINDOWS.
If the attacker needs to remove the trailing string /reports, then he
can simply insert enough characters so the string is truncated.
Alternatively the attacker might apply the postfix NULL character (%00)
to determine whether this terminates the string.
Different forms of NULL to think about include
PATH%00
PATH[0x00]
PATH[alternate representation of NULL character]
<script></script>%00
Exploitation of a buffer overflow vulnerability in the ActiveX
component packaged with Adobe Systems Inc.'s Acrobat/Acrobat Reader
allows remote attackers to execute arbitrary code.
The problem specifically exists upon retrieving a link of the
following form:
GET /any_existing_dir/any_existing_pdf.pdf%00[long string]
HTTP/1.1
Where [long string] is a malicious crafted long string containing
acceptable URI characters. The request must be made to a web server that
truncates the request at the null byte (%00), otherwise an invalid file
name is specified and a "file not found" page will be returned. Example
web servers that truncate the requested URI include Microsoft IIS and
Netscape Enterprise. Though the requested URI is truncated for the
purposes of locating the file the long string is still passed to the
Adobe ActiveX component responsible for rendering the page. This in turn
triggers a buffer overflow within RTLHeapFree() allowing for an attacker
to overwrite an arbitrary word in memory. The responsible instructions
from RTLHeapFree() are shown here:
0x77F83AE5 MOV EAX,[EDI+8]
0x77F83AE8 MOV ECX,[EDI+C]
...
0x77F83AED MOV [ECX],EAX
The register EDI contains a pointer to a user-supplied string. The
attacker therefore has control over both the ECX and EAX registers used
in the shown MOV instruction.
Successful exploitation allows remote attackers to utilize the
arbitrary word overwrite to redirect the flow of control and eventually
take control of the affected system. Code execution will occur under the
context of the user that instantiated the vulnerable version of Adobe
Acrobat.
An attacker does not need to establish a malicious web site as
exploitation can occur by adding malicious content to the end of any
embedded link and referencing any Microsoft IIS or Netscape Enterprise
web server. Clicking on a direct malicious link is also not required as
it may be embedded within an IMAGE tag, an IFRAME or an auto-loading
script.
Successful exploitation requires that a payload be written such that
certain areas of the input are URI acceptable. This includes initial
injected instructions as well as certain overwritten addresses. This
increases the complexity of successful exploitation. While not trivial,
exploitation is definitely plausible [iDefense].
Consider the following PHP script:
$whatever = addslashes($_REQUEST['whatever']);
include("/path/to/program/" . $whatever . "/header.htm");
A malicious attacker might open the following URL, disclosing the
boot.ini file:
http://localhost/phpscript.php?whatever=../../../../boot.ini%00
Description
