Webhits.dll arbitrary file retrieval Vulnerability

From: Maverick The Techie (seclists4maverick@gmail.com)
Date: Thu Mar 03 2005 - 02:25:22 EST

• Next message: Merrick, Carl: "HP BL30's and VLAN's"
• Previous message: Bénoni MARTIN: "RE: Pen testing a very small network"
• Next in thread: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Maybe reply: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Reply: H D Moore: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Respected Members,

when i was doing a web server scan through Nikto on my website, it
reported that the files "/scripts/samples/search/qfullhit.htw" &
"/scripts/samples/search/qsumrhit.htw" are vulnerable to the
"Webhits.dll arbitrary file retrieval Vulnerability "

When i researched on Google, i found this bug's advisory by David
Litchfield and he says that "Even if you have no .htw files on your
system you"re probably
still vulnerable! A quick test to show if you are vulnerable:
go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw
If you receive a message stating the "format of the QUERY_STRING
is invalid" you _are_ vulnerable."

when i typed this Url into IE,(www.acme.com/nosuchfile.htw) i got the
this response

"The format of QUERY_STRING is invalid." which proved that the web
server was vulnerable to this vulnerability.
so i tried to exploit it via netcat by reading the rest of the
advisory so i tried this in netcat

E:\nc11nt>nc -v -n 202.xx.xx.208 80
(UNKNOWN) [202.xx.xx.208] 80 (?) open
GET /scripts/samples/search/qfullhit.htw?ciwebhitsfile=/../../winnt/repair/sam._
&cirestriction=none&cihilitetype=full
HTTP/1.0 200 OK
Content-Type: text/html

<HTML>
<BODY>
<p><h3><center>The path specified is incorrect.<BR></center></h3><BR></BODY>
</HTML>
E:\nc11nt>

Though, i could not retrieve the sam file hashes, i still got a HTTP
200 Ok message, now Nikto also says that there is a "Ws_ftp.log" file
on the server, now i dont have any clue on this file and its location
on the server, some admin say that it contains the FTP user id and
encrypted password which is way easy to crack!!,

now is there a way that i can access that log file through the above
vulnerability, or any other files for that matter coz whatever files i
have tried to access using the above way i have got nothing but HTTP
OK messages.
I request u all to kindly explain the method to exploit this bug and
access files, coz i am unable to exploit this vulnerability in a
proper way so unless i know how this bug is exploited, i cannot patch
it coz i want to know how to exploit it first before patching it so
that i can know all the avenues what a cracker can use to enter my web
server.
Any Help would be certainly appreciated.

-=Maverick_12210=-

• Next message: Merrick, Carl: "HP BL30's and VLAN's"
• Previous message: Bénoni MARTIN: "RE: Pen testing a very small network"
• Next in thread: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Maybe reply: Jian Hui Wang: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Reply: H D Moore: "Re: Webhits.dll arbitrary file retrieval Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT