[Full-Disclosure] Sambar Server Buffer Overflow in search.pl

From: Lorenzo Hernandez Garcia-Hierro (novappc_at_novappc.com)
Date: 06/19/03

  • Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] pMachine Cross Site Scripting in Search module and Path Disclosures"
    To: <full-disclosure@lists.netsys.com>
    Date: Thu, 19 Jun 2003 13:59:17 +0200
    
    

    --------------------
    Product: Sambar Server
    Vendor: Sambar Technologies
    Versions:
             VULNERABLE

             - 6.0 ?
             - 5.x
             - 4.x
             - 3.x

             NOT VULNERABLE

             - ?
    ---------------------

    Description:

    Multi-threaded, extensible Application Server with highly programmable API
    Virtual domain support (currently name based) with independent document/CGI
    directories, log files, and error templates.
    HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download resume)
    support
    Dynamic content compression
    HTTPS (SSL) 128-bit encrytion support (OpenSSL included)
    Integrated Log File Analysis
    Documents and images can be cached in memory for performance
    Document and CGI directory aliasing
    Customizable and scriptable error templates allow database and email
    notification.

    Graphing performance monitors and automatic log file report generation.
    Bandwidth and per-user throttling.
    Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows
    connections to most database types (Oracle, MS-SQL, MySQL, Access, etc)
    Built-in SQL RDBMS (SQLite) for prototyping and modest projects.

    -----------------------------------------
    SECURITY HOLES FOUND and PROOFS OF CONCEPT:
    -----------------------------------------

    I encountered a buffer overflow vulnerability in the search system by perl
    file ( search.pl ) , with this you can
    corrupt the stack . The failure occurs when you send a specially crafted
    query.

    ---------------------
    | BUFFER OVERFLOW |
    | IN SEARCH.PL |
    ---------------------

    Code with the hole:
    _______________________________________________________
    # Buffer the POST content
     read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

     # Process the name=value argument pairs
     my $pair;
     my $name;
     my $value;
     my @args = split(/&/, $buffer);

     foreach $pair (@args)
     {
      ($name, $value) = split(/=/, $pair);

      # Unescape the argument value
      $value =~ tr/+/ /; <--- LOOK HERE
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

      # Save the name=value pair for use below.
      $FORM{$name} = $value;
     }
    ________________________________________________________

    Proof of Concepts:

    You must do a request in post mode to the search.pl script with the
    following content:

    QUERY TO USE FOR THE BUFFER OVERFLOW:

    .+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0

    You can send other queries including + and . too but you must include other
    characters.

    I think that the problem is in the form that search.pl recognices the query
    logic operator and the +.
    The search.pl crashes and the sambar server crashes too, if you continue
    sending this requests the server machine
    must be restarted. The search.pl script doesn't have a limit of characters
    in the query.

    -----------
    | CONTACT |
    -----------

    Lorenzo Hernandez Garcia-Hierro
     --- Computer Security Analyzer ---
     --Nova Projects Professional Coding--
     PGP: Keyfingerprint
     B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
     ID: 0x9C38E1D7
     **********************************
     www.novappc.com
     security.novappc.com
     www.lorenzohgh.com
     ______________________

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Lorenzo Hernandez Garcia-Hierro: "[Full-Disclosure] pMachine Cross Site Scripting in Search module and Path Disclosures"

    Relevant Pages

    • Sambar Server : Crashing service with search.pl
      ... Virtual domain support with independent ... I encountered a buffer overflow vulnerability in the search system by ... QUERY TO USE FOR THE BUFFER OVERFLOW: ... The search.pl crashes and the sambar server crashes too, ...
      (Bugtraq)
    • Re: E-mail not delivered, Event ID 2028
      ... Right click on "Default SMTP Virtual Server" and click Properties. ... On the General tab, please check the option "Enable logging". ... Select W3C Extended Log File Format from the list below. ... Microsoft Online Partner Support ...
      (microsoft.public.exchange.admin)
    • Re: Problem with OWA
      ... Open IIS MMC, right click Default Web Site and then click Properties. ... You may wait a while for IIS to generate the log file. ... Install MBExplorer by installing IIS 6 Resource Kit Tools: ... > Microsoft Online Partner Support ...
      (microsoft.public.exchange.setup)
    • RE: MP Control Manager errors
      ... This is Lee and I am glad to meet you in the newsgroup. ... If the issue persists on the computer, this should be an issue with IIS, I ... Send me the MPMSI and MPSetup log file located in the SMS\logs folder. ... Microsoft Online Partner Support ...
      (microsoft.public.sms.admin)
    • Re: Access crashes on a subquery
      ... Watson and product support avenues further. ... You may want to follow the steps below to collect a Dr. Watson dump file ... Search the log file under the folder indicated by the 'Log File Path' ... this work has to be done by contacting Microsoft Product Support ...
      (microsoft.public.access.queries)