lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <006e01c3365a$36de9820$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: Sambar Server Buffer Overflow in search.pl

--------------------
Product: Sambar Server
Vendor: Sambar Technologies
Versions:
         VULNERABLE

         - 6.0 ?
         - 5.x
         - 4.x
         - 3.x

         NOT VULNERABLE

         - ?
---------------------

Description:

Multi-threaded, extensible Application Server with highly programmable API
Virtual domain support (currently name based) with independent document/CGI
directories, log files, and error templates.
HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download resume)
support
Dynamic content compression
HTTPS (SSL) 128-bit encrytion support (OpenSSL included)
Integrated Log File Analysis
Documents and images can be cached in memory for performance
Document and CGI directory aliasing
Customizable and scriptable error templates allow database and email
notification.

Graphing performance monitors and automatic log file report generation.
Bandwidth and per-user throttling.
Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows
connections to most database types (Oracle, MS-SQL, MySQL, Access, etc)
Built-in SQL RDBMS (SQLite) for prototyping and modest projects.

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered a buffer overflow vulnerability in the search system by perl
file ( search.pl ) , with this you can
corrupt the stack . The failure occurs when you send a specially crafted
query.

---------------------
| BUFFER OVERFLOW   |
| IN SEARCH.PL      |
---------------------

Code with the hole:
_______________________________________________________
# Buffer the POST content
 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

 # Process the name=value argument pairs
 my $pair;
 my $name;
 my $value;
 my @args = split(/&/, $buffer);

 foreach $pair (@args)
 {
  ($name, $value) = split(/=/, $pair);

  # Unescape the argument value
  $value =~ tr/+/ /;                <---  LOOK HERE
  $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

  # Save the name=value pair for use below.
  $FORM{$name} = $value;
 }
________________________________________________________


Proof of Concepts:

You must do a request in post mode to the search.pl script with the
following content:


QUERY TO USE FOR THE BUFFER OVERFLOW:

.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0

You can send other queries including + and . too but you must include other
characters.

I think that the problem is in the form that search.pl recognices the query
logic operator and the +.
The search.pl crashes and the sambar server crashes too, if you continue
sending this requests the server machine
must be restarted. The search.pl script doesn't have a limit of characters
in the query.

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
 www.novappc.com
 security.novappc.com
 www.lorenzohgh.com
 ______________________



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ