Pico Server (pServ) Local Information Disclosure

Talk to RedTeam!
+49 241 510081-0

News

19/07/2023
New advisory released: Session Token Enumeration in RWS WorldServer.
12/07/2023
A new version of monsoon has been released. Our new blog post covers the new features and improvements in detail.
05/06/2023
In our new blog post we discuss common misconceptions about login mechanisms using the example of a vulnerability in the web interface of STARFACE PBX.
01/06/2023
New advisory released: STARFACE: Authentication with Password Hash Possible.
30/05/2023
Several advisories for vulnerabilities in the open-source software Pydio Cells released: Unauthorised Role Assignments, Cross-Site Scripting via File Download, Server-Side Request Forgery.
09/05/2023
Today we released our newly developed program resocks. The accompanying blog post covers its usage and technical details.
12/04/2023
Our new blog post describes the approach to integrate our new printer in our office infrastructure aiming to meet our specified security requirements.
10/02/2023
Jens Liebchen held the talk “Physical Security – Wenn Türen zu Firewalls werden” on 7 February 2023 at the Chair for IT Security Infrastructures of the Friedrich-Alexander-Universität Erlangen-Nürnberg. The German language slides are available for download under Publications.
26/01/2023
New advisory released: Skyhigh Security Secure Web Gateway: Cross-Site Scripting in Single Sign-On Plugin.
18/01/2023
Alexander Neumann held the talk „Mitbringsel aus dem Alltag: Star Wars in der niedersächsischen Provinz” at the event “Studierende treffen Alumni und Unternehmensexperten” at the FH Aachen University of Applied Sciences. The German language slides are available for download under Publications.

> Advisories > rt-sa-2005-012 vertical divider

[rt-sa-2005-013]

Back to Overview

[rt-sa-2005-011]

Pico Server (pServ) Local Information Disclosure

RedTeam found a local information disclosure vulnerability in Pico Server (pServ) which results in a local user reading all files on the server with pServ's permissions.

Details
=======

Product: Pico Server (pServ)
Affected Version: 3.3, 3.2(verified), < 3.2 probably too
Immune Version: none
OS affected: all
Security-Risk: low
Remote-Exploit: no
Vendor-URL: http://pserv.sourceforge.net/
Vendor-Status: informed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2005-012
Advisory-Status: published
CVE: CAN-2005-1367 
(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1367 #)




Introduction
============

From http://pserv.sourceforge.net/ 
Pico Server is a small web server. It is meant to be portable and configurable.

* small, portable
* fast
* CGI-BIN support
* auto-indexing of directories
* access and error logging (see p-reporter for an analyzer) * forking or single-connection at choice

Pico Server (pServ) is written in portable C (K&R style so it can compile on older compilers too) and sports several options that by means of #define statements can customize the behavior, the performance and the feature set so to be able to fit better the the requisites.

pServ follows symlinks without checking whether a symlink points outside the webroot.

More Details
============

pServ does not distinguish normal files from symlinks. Unfortunately it does furthermore only check the link itself but not check if the symlink target is still in the webroot. That is why an attacker with access to a directory on the web server (e.g. via ftp) can put a symlink to any file on the server there. He can then retrieve that file (if pServe has the permission to read it) through the web server by navigating his browser to that link. 

Proof of Concept
================

Retrieving /etc/shadow if pServe runs as root:
1. As user go to your web-directory e.g.: cd /usr/local/var/www/userdir
2. Create a link to /etc/shadow: ln -s /etc/shadow
3. Retrieve the shadow file by pointing your browser to http://vuln-host:2000/userdir/shadow

Workaround
==========

pServe should run as a user with minimal privileges. Files that should not be read by unprivileged users should have their permissions set accordingly. 

Fix
===

The problem will not be fixed in the next version of pServ. From version 3.3 on there is a hint in the readme file that informs of this issue. 

Security Risk
=============

The security risk is rated low because an attacker must already have access to the system. Also usually the administrator will run pServ with minimal privileges. On the other hand a user could place a link to some directory (e.g.: / ) without knowing what he is doing.

History
=======

2005-04-29 found 
2005-05-02 first attempt to inform developers
2005-05-02 CAN-number assigned
2005-05-04 second attempt to inform developers
2005-05-16 got the information that the problem will not be fixed. Advisory
published.
2009-05-08 Updated Advisory URL

RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more Information on the RedTeam Project at
http://www.redteam-pentesting.de