Security Advisory B013 - Xitami Web Server v2.5c2 Multiple Vulnerabilities
==================

Release Date: April 3 2008

Impact: A remote user can cause a Denial of Service and possibly execute arbitrary code on a target computer running Xitami Web Server v2.5c2

Vendor URL: http://www.xitami.com/

Vulnerable Versions: Tested on v2.5c2 for Windows, other versions are probably vulnerable as well.

Description:
Xitami Web Server is a small, fast, and powerful multiplatform Open Source Web Server.
Multiple format string vulnerabilities have been found in xitami. These vulnerabilities exist because of the way xitami uses the SMT kernel (Simple Multi Threading kernel - another iMatix product): some user supplied data is directly passed to the vsnprintf() and vsprintf() functions inside the sendfmt() function of the SMT kernel.

1st vulnerability: LRWP Request Processing Format String
Begining with version 2.2a, Xitami includes a persistent CGI extension called LRWP (Long Running Web Process). LRWP is written as a WSX agent which implements a simple protocol for communicating with external processes called Peers. The peer process simply waits for the requests to come from Xitami and then responds with a valid http response, just like a CGI program.
A format string vulnerability exists in Xitami's code that logs the LRWP requests. This vulnerability may permit an attacker to execute arbitrary code, or at least cause a DoS attack, on a target machine running a vulnerable version of Xitami Web Server.
The format string can be triggered by sending a special request to the service (which listens by default on TCP port 81) in the form of:
    "%s*100" + "\xFF" + "somestring" + "\xFF"
another example:
    "%n" + "\xFF" + "somestring" + "\xFF"

A PoC exploit has been released at http://www.bratax.be/


As mentioned before, this bug is not actually located in xitami, but is caused by the way that xitami uses the vendor's "SMT kernel".
If we look at the source code we can see that xitami calls the sendfmt(); function in xilrwp.c:

    /* Log peer connection */
    sendfmt(&operq;, "INFO",
            LRWP_NAME ": Peer %s connected for %s host",
                tcb->rtr->name, tcb->rtr->vhost);

Inside sendfmt();, the user controlled string (tcb->rtr->name) will be passed to vsnprintf() or vsprintf(), allowing a malicious user to provide his own format strings:

    #if (defined (DOES_SNPRINTF))
        vsnprintf (formatted, 4096, format, argptr);
    #else
        vsprintf  (formatted, format, argptr);
    #endif

2nd vulnerability: Server Side Includes (SSI) Request Processing Format String
SSI is a simple server-side scripting language used almost exclusively for the web.
Xitami provides a standard SSI filter and, by default, recognises any document with extension '.ssi', '.shtm', or '.shtml' as an SSI document.
A format string vulnerability exists in Xitami's code that logs the SSI requests. This vulnerability may permit an attacker to execute arbitrary code, or at least cause a DoS attack, on a target machine running a vulnerable version of Xitami Web Server.
The format string can be triggered by visiting the following 2 URL's after each other on the web server (which listens by default on TCP port 80):
http://localhost/%25n.ssi
http://localhost/testssi.ssi

Solution:
A possible solution is to put some input validation on the data before calling sendfmt();
Another solution is changing sendfmt(); itself.

Status:
Initial vendor contact: Sunday, March 30, 2008.
Initial vendor response: Monday, March 31, 2008.
As the xitami project is abandoned, the vendor asked to make this information available to xitami users via the vendor's wiki.
Public release: Wednesday, April 3, 2008.