[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006e01c3365a$36de9820$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Sambar Server Buffer Overflow in search.pl
--------------------
Product: Sambar Server
Vendor: Sambar Technologies
Versions:
VULNERABLE
- 6.0 ?
- 5.x
- 4.x
- 3.x
NOT VULNERABLE
- ?
---------------------
Description:
Multi-threaded, extensible Application Server with highly programmable API
Virtual domain support (currently name based) with independent document/CGI
directories, log files, and error templates.
HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download resume)
support
Dynamic content compression
HTTPS (SSL) 128-bit encrytion support (OpenSSL included)
Integrated Log File Analysis
Documents and images can be cached in memory for performance
Document and CGI directory aliasing
Customizable and scriptable error templates allow database and email
notification.
Graphing performance monitors and automatic log file report generation.
Bandwidth and per-user throttling.
Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows
connections to most database types (Oracle, MS-SQL, MySQL, Access, etc)
Built-in SQL RDBMS (SQLite) for prototyping and modest projects.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a buffer overflow vulnerability in the search system by perl
file ( search.pl ) , with this you can
corrupt the stack . The failure occurs when you send a specially crafted
query.
---------------------
| BUFFER OVERFLOW |
| IN SEARCH.PL |
---------------------
Code with the hole:
_______________________________________________________
# Buffer the POST content
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Process the name=value argument pairs
my $pair;
my $name;
my $value;
my @args = split(/&/, $buffer);
foreach $pair (@args)
{
($name, $value) = split(/=/, $pair);
# Unescape the argument value
$value =~ tr/+/ /; <--- LOOK HERE
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
# Save the name=value pair for use below.
$FORM{$name} = $value;
}
________________________________________________________
Proof of Concepts:
You must do a request in post mode to the search.pl script with the
following content:
QUERY TO USE FOR THE BUFFER OVERFLOW:
.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0
You can send other queries including + and . too but you must include other
characters.
I think that the problem is in the form that search.pl recognices the query
logic operator and the +.
The search.pl crashes and the sambar server crashes too, if you continue
sending this requests the server machine
must be restarted. The search.pl script doesn't have a limit of characters
in the query.
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
Powered by blists - more mailing lists