Zeus Vulnerabilities

Created 10/29/02
CVE 1999-0883
CVE 1999-0884
CVE 2000-0149

Impact

Multiple vulnerabilities could allow a remote attacker to perform unauthorized actions on the server.

Background

Zeus Web Server is a scalable web server available for a variety of UNIX-based platforms.

The Problems

Possible Remote root Compromise

CVE 1999-0883
CVE 1999-0884
There are a two vulnerabilities in the Zeus Web Server that, when exploited in combination, can lead to a remote root compromise.

The Zeus Web Server provides a search CGI program that accepts server filesystem paths as its arguments. As a result, it is possible to display any file to which the server has access. In this way, an attacker can obtain the web server configuration file and, as a result, the password hash for the admin user.

The second vulnerability is that the Zeus Web Server administrative interface uses weak encryption for its passwords. Once a password for the admin user is cracked, it is possible to execute arbitrary commands through the web-based configuration interface as root.

Zeus Web Server versions 3.3.1 and 3.3.2 are vulnerable.

Null Terminated Strings Vulnerability

CVE 2000-0149
If the CGI module option "allow CGIs anywhere" is enabled, a remote attacker could view the contents of CGI scripts which are not located in directories which are designated as "executable", (e.g., \cgi-bin is an "executable" directory.) This vulnerability is exploited by appending "%00" (null character) to the end of a CGI script file name.

Zeus Web Server versions 3.1.1 through 3.3.5 are vulnerable. Version 3.3.5a is not vulnerable.

Resolution

Upgrade to the latest version of Zeus Web Server, or at least to version 3.3.5a.

Where can I read more about this?

Possible remote root compromise is discussed in Bugtraq ID 742. The Null terminated strings vulnerability is discussed in Bugtraq ID 977.