[VulnWatch] [SCSA-019] Gattaca Server 2003 Vulnerable to Multiple vulnerabilities

From: Gregory LEBRAS (gregory.lebras_at_security-corporation.com)
Date: 07/10/03

  • Next message: Peter Winter-Smith: "[VulnWatch] Buffer Overflow Vulnerabilities in TurboFTP"
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 10 Jul 2003 22:34:15 +0200
    
    

    =====================================================================
    Security Corporation Security Advisory [SCSA-019]

    Gattaca Server 2003 Vulnerable to Multiple vulnerabilities
    =====================================================================

    PROGRAM: Gattaca Server 2003
    HOMEPAGE: www.gattaca-server.com
    VULNERABLE VERSIONS: 1.0.8.1 and prior ?
    RISK: Low/Medium
    IMPACT: Show file and directory content
    Denial of Service
    Directory Traversal
    Cross Site Scripting
    RELEASE DATE: 2003-07-10

    Security Corporation's Free weekly Newsletter :
    http://www.security-corporation.com/newsletter.html

    =====================================================================
    TABLE OF CONTENTS
    =====================================================================

    1..........................................................DESCRIPTION
    2..............................................................DETAILS
    3.............................................................EXPLOITS
    4............................................................SOLUTIONS
    5...........................................................WORKAROUND
    6..................................................DISCLOSURE TIMELINE
    7..............................................................CREDITS
    8...........................................................DISCLAIMER
    9...........................................................REFERENCES
    10............................................................FEEDBACK

    1. DESCRIPTION
    =====================================================================

    Gattaca Server is "A high performance Windows NT based Mail and Web
    Server software for building own intranet. You may register unlimited
    users, use unlimited domains. Supporting POP3, SMTP, and HTTP
    protocols.
    Integrated with TMPL library, allow you write own CGI scripts"

    (direct quote from http://www.gattaca-server.com/)

    2. DETAILS
    =====================================================================

    - Shows file and directory content :

    When sending a GET with 2 slashes ("//"), then the server shows all
    files in the directory content. An attacker can see all hidden
    (non-HTML linked) files and directories on the server.

    - Denial of Service :

    A security vulnerability in Gattaca Server 2003 allows remote and
    local attackers to cause the server to crash by executing a specific
    command (LLIST) with a buffer of 1048 bytes in length or more.

    The command can be issued to the server either by using the Gattaca
    Console.(C:\WINNT\system32\gattaca.exe)

    - Directory Traversal :

    A security vulnerability in Gattaca Server 2003 allows remote
    attackers to gain access to system files.

    - Cross Site Scripting :

    A exploitable bug was found in Gattaca Server 2003 which cause
    script execution on client's computer by following a crafted url.

    This kind of attack known as "Cross-Site Scripting Vulnerability"
    is present in view2.tmpl file, an attacker can input specially crafted
    links and/or other malicious scripts.

    3. EXPLOIT
    =====================================================================

    - Show file and directory content :

    http://[target]//

    You will get this :
    http://www.security-corporation.com/download/SCSA-019.png

    - Denial of Service :

    In Gattaca Console :

    $> LLIST AAAA...[1024]...AAAA

    ggesvr32.exe crash at once.

    - Directory Traversal :

    http://[target]/view.tmpl?testfile=../../winnt/win.ini

    - Cross Site Scripting :

    http://[target]/view2.tmpl?text=[hostile_code]

    The hostile code could be :

    [script]alert("Cookie="+document.cookie)[/script]

    (open a window with the cookie of the visitor.)

    (replace [] by <>)

    4. SOLUTIONS
    =====================================================================

    No solution for the moment. Vendor fix bugs in the next release.

    5. WORKAROUND
    =====================================================================

    - Show file and directory content :

    Vendor response :

    For fix this issue, you also need provide additional task

    http://[target]//

    2 ways:

    1) Open notepad %systemroot%\gattaca.ini and remove extension for
    configuration file

    ====================================
    [GATTACA]
    PATH=C:\GeeOSPub
    ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
    SITE=C:\GeeOSPub\wwwroot\.config
    ====================================

    Last 2 strings maybe removed, restarting is not needed.
    New configuration settings will be updated by Gattaca
    Server in 15 seconds.

    ====================================
    [GATTACA]
    PATH=C:\GeeOSPub
    #ENVIRONMENT=C:\GeeOSPub\wwwroot\.config
    #SITE=C:\GeeOSPub\wwwroot\.config
    ====================================

    but you got problem with site sample, and best way is:

    2) You may update C:\GeeOSPub\wwwroot\.config file too, it also has
    structure

    =====================
    [HTTPFOLDER]
    /=1
    =====================

    Changed it to

    =====================
    [HTTPFOLDER]
    /=0
    =====================

    Also if you need view directory index of any folder append your
    variables look like:

    <url>=<status>

    where status is 1 allowed to view, and 0 disabled view.
    for example:

    [HTTPFOLDER]
    /=0
    /pub=1
    /pub/private=0

    Also it is impossible view files started with dot (like .config etc), if
    any clients want hide some files from directory index they should start
    names of files from dot. It's by design.

    - Denial of Service :

    Vendor response :

    For LLIST command, this is real problem too. But it's possible limit
    access to computer where Gattaca Server installed.

    - Directory Traversal :

    Remove view.tmpl

    - Cross Site Scripting :

    Use the function php eregi_replace to filter the input data or
    remove view2.tmpl

    Vendor response :

    For exploit (http://[target]/view2.tmpl?text=[hostile_code]) it is not
    bug, because response to this GET/POST request got only attacker. And it
    impossible to control server response to another client(s). It's by
    design. This script (view2.tmpl) made for this purposes (allowing
    end-user insert own code/text to output html), and if this work it is
    fine. This mean that Gattaca Server properly configured, and work well.
    For our opinion this is not bug or exploid, it is possible send data to
    this script using GET/POST (POST it's better because client can send
    more data)

    6. DISCLOSURE TIMELINE
    =====================================================================

    08/07/2003 Vulnerability discovered
    08/07/2003 Vendor notified
    09/07/2003 Vendor response
    09/07/2003 Security Corporation clients notified
    09/07/2003 Started e-mail discussions
    10/07/2003 Last e-mail received
    10/07/2003 Public disclosure

    7. CREDITS
    =====================================================================

    Discovered by Gregory Le Bras <gregory.lebras@security-corporation.com>

    8. DISLAIMER
    =====================================================================

    The information within this paper may change without notice. Use of
    this information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatsoever arising out of
    or in connection with the use or spread of this information. Any use
    of this information is at the user's own risk.

    9. REFERENCES
    =====================================================================

    - Original Version:
    http://www.security-corporation.com/advisories-019.html

    - Version Franšaise:
    http://www.security-corporation.com/index.php?id=advisories&a=019-FR

    10. FEEDBACK
    =====================================================================

    Please send suggestions, updates, and comments to:

    Security Corporation
    http://www.security-corporation.com
    info@security-corporation.com


  • Next message: Peter Winter-Smith: "[VulnWatch] Buffer Overflow Vulnerabilities in TurboFTP"

    Relevant Pages