[Full-Disclosure] [SCSA-018] Disclosure of authentication information in Sambar Server

From: Gregory LEBRAS (gregory.lebras@security-corporation.com)
Date: 04/24/03

  • Next message: badpack3t: "[Full-Disclosure] Xeneo Web Server 2.2.10.0 Buffer Overflow Vulnerability"
    From: "Gregory LEBRAS" <gregory.lebras@security-corporation.com>
    To: "Full Disclosure Mailing List" <full-disclosure@lists.netsys.com>
    Date: Thu, 24 Apr 2003 00:42:40 +0200
    

    ======================================================================
    Security Corporation Security Advisory [SCSA-018]

    Disclosure of authentication information in Sambar Server
    ======================================================================

    PROGRAM: Sambar Server
    HOMEPAGE: http://www.sambar.com/
    VULNERABLE VERSIONS: 6.0 Beta 1
                         5.3
                         5.2 and prior ?
    RISK: Low/Medium
    IMPACT: Disclosure of authentication information
    RELEASE DATE: 2003-04-24

    Security Corporation's Free weekly Newsletter :
    http://www.security-corporation.com/newsletter.html

    ======================================================================
    TABLE OF CONTENTS
    ======================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    ======================================================================

    "Sambar Server is the new standard in high performance multi-functional
    servers with features rivaling other commercial products selling
    separately for several hundreds of dollars. It's Winsock2 compliant
    Win32 integration functions on Windows 95, Windows 98, Windows NT,
    Win2000, and XP as a service or as an application."
    (direct quote from http://sambar.jalyn.net)

    2. DETAILS
    ======================================================================

    - Disclosure of authentication information :

    A security vulnerability in Sambar Server Pro Server allow an
    attacker to view the username and password of an user who login
    on the webmail.

    Indeed, when logging in on the WebMail part of Sambar Server Pro Server,
    the username and password is sent in clear text.

    A remote attacker with access to the target user's or target server's
    traffic stream can view the username and the password.

    3. EXPLOIT
    ======================================================================

    - Disclosure of authentication information :

    This vulnerability can be easily exploited by an attacker who is on
    the same network. He can put a network sniffer on the network and sniff
    the username and password sent in clear by Sambar Server Pro Server.

    Here a capture of the HTTP Headers :

    -------CUT-------

    POST /session/login HTTP/1.0
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, application/vnd.ms-excel,
    application/vnd.ms-powerpoint, application/msword, */*
    Referer: http://[target]/sysuser/webmail/
    Accept-Language: fr
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Host: 192.168.0.23
    Content-Length: 200
    Pragma: no-cache
    Connection: keep-alive
    Browser reload detected...
    Posting 200 bytes...
    RCpage=%2Fsysuser%2Fwebmail%2Fwebmail.stm
    onfailure=%2Fsysuser%2Fwebmail%2Frelogin.htm
    start=1
    RCSdesktop=false
    RCSsort=desc
    RCSfolder=inbox
    RCShome=%2Fsysuser%2Fwebmail
    RCuser=administrator
    RCpwd=thepassword

    -------CUT-------

    4. SOLUTIONS
    ======================================================================

    No solution for the moment.

    5. WORKAROUND
    ======================================================================

    We strongly urge you to starting the HTTPS Server.
    The HTTPS server does not start by default, it must be enabled via
    the config.ini file entry Act As HTTPS Server = true.

    6. DISCLOSURE TIMELINE
    ======================================================================

    19/04/2003 Vulnerability discovered
    19/04/2003 Vendor notified
    20/04/2003 Security Corporation clients notified
    23/04/2003 Vendor response
    24/04/2003 Public disclosure

    7. CREDITS
    ======================================================================

    Discovered by Gregory Le Bras <gregory.lebras@security-corporation.com>

    8. DISLAIMER
    ======================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    ======================================================================

    - Original Version:
      http://www.security-corporation.com/advisories-018.html

    - Version Franšaise:
      http://www.security-corporation.com/index.php?id=advisories&a=018-FR

    10. FEEDBACK
    ======================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    info@security-corporation.com

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: badpack3t: "[Full-Disclosure] Xeneo Web Server 2.2.10.0 Buffer Overflow Vulnerability"