exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

xitami-2.5b4.txt

xitami-2.5b4.txt
Posted Nov 22, 2001
Authored by Zerologic | Site nssolution.net

Xitami WEB/FTP Server for Windows 95/98/NT/2k v2.5b4 has remote vulnerabilities which allow users to view sensitive system information via testcgi.exe. Passwords are stored in plain text. Denial of service is possible.

tags | exploit, remote, web, denial of service, vulnerability
systems | windows
SHA-256 | 963cbf8d5f403c450c746e48d4a87ee002babfa21848572bbe2f6ac1680a715f

xitami-2.5b4.txt

Change Mirror Download
Network Security Solutions Inc. Security AdvisorY
(Philippine based Security Company)

Http://www.Nssolution.net
Http://connect.to/nssi

]*** Xitami WEB/FTP release 2.5b4 Server Multiple Security Vulnerabilities ***[

Author: Abraham Lincoln
handle: zer0logic

Email : Abraham@nssolution.net, zer0logic@PrivacyX.Com,
Abraham@Digital-Defense-Network.Net

Date Discovered: November 29, 2000
Vendor: iMatix Corporation

Disclaimer:
This paper is intended for informational purpose only. The Author is not
responsible for the the Use and/or potential effects of these advisories.
Read this at your own risk! or not at all.


1] 1st Vulnerability - TestCgi.exe file vulnerability

Version Affected: Xitami Web Server release 2.5b4
for Win 95 / 98 / NT / Win2k
Local : Yes
Remote: Yes
Risk: Medium

Problem Description:

- Xitami Webservers default installation /Cgi-Bin directory has a Vulnerability that allows remote users to View
information regarding your system and Webserver's Directory by executing TestCgi.exe using your browser sample:
Http://www.Target.com/cgi-bin/testcgi

Sample output:

Environment Variables

COMPUTERNAME = MYSERVER
COMSPEC = C:\WINNT\system32\cmd.exe
HOMEDRIVE = C:
HOMEPATH = \
LOGONSERVER = \\MYSERVER
NUMBER_OF_PROCESSORS = 1
OS = Windows_NT
OS2LIBPATH = C:\WINNT\system32\os2\dll;
PATH = C:\WINNT\system32;C:\WINNT
PROCESSOR_ARCHITECTURE = x86
PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL = 6
PROCESSOR_REVISION = 0803
SYSTEMDRIVE = C:
SYSTEMROOT = C:\WINNT
TEMP = C:\TEMP
TMP = C:\TEMP
USERDOMAIN = MYSERVER
USERNAME = Administrator
USERPROFILE = C:\WINNT\Profiles\Administrator
WINDIR = C:\WINNT
HTTP_ACCEPT_CHARSET = iso-8859-1,*,utf-8
HTTP_ACCEPT_LANGUAGE = en
HTTP_ACCEPT_ENCODING = gzip
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP_HOST = 127.0.0.1
HTTP_USER_AGENT = Mozilla/4.75 [en] (WinNT; U)
HTTP_CONNECTION = Keep-Alive
HTTP_CONTENT_LENGTH = 0
SERVER_SOFTWARE = Xitami
SERVER_VERSION = 2.5b4
SERVER_NAME = 127.0.0.1
SERVER_URL = http://127.0.0.1/
SERVER_PORT = 0
SERVER_PROTOCOL = HTTP/1.1
SERVER_SECURITY = -
GATEWAY_INTERFACE = CGI/1.1
REQUEST_METHOD = GET
QUERY_METHOD = GET
SCRIPT_PATH = cgi-bin
SCRIPT_NAME = /cgi-bin/testcgi
CONTENT_TYPE =
CONTENT_LENGTH = 0
REMOTE_USER = -
REMOTE_HOST = 127.0.0.1
REMOTE_ADDR = 127.0.0.1
PATH_INFO =
PATH_TRANSLATED = C:/Xitami/webpages
DOCUMENT_ROOT = C:/Xitami/webpages
CGI_ROOT = C:/Xitami/cgi-bin
CGI_URL = /cgi-bin
CGI_STDIN = C:\TEMP\pipe0001.cgi
CGI_STDOUT = C:\TEMP\pipe0001.cgo
CGI_STDERR = cgierr.log

The Problem lies in the Default Installation of Xitami Webserver in /cgi-bin directory where testcgi.exe is located.
this problem could allow a malicious user to gain information about your system that can be used to Penetrate the whole
system.

Work Around:
Delete testcgi.exe file, or disable cgi-bin directory in Xitami Administration under cgi properties and always don't use
any default installation always re configure your webserver after installing. Read some articles regarding WWW Security FAQ
and CGI Vulnerabilities @ http://www.w3.org/Security/Faq/


2] 2nd Vulnerability - Plain text Password vulnerability

Version Affected: Xitami Web Server release 2.5b4
for Win 95 / 98 / NT / Win2k
Local : Yes
Remote: No
Risk: Medium

Problem Description:
- I Discovered that Xitami WEbserver is storing Plain Text Password of Xitami Webserver Administration to
defaults.aut file in default installation folder of Xitami webserver w/c is C:\Xitami. even if you gonna change the installation folder
its still the the same.
Example:
defaults.aut
# Created at installation time
#
[/Admin]
admin="root123" <----- admin=username password=root123
[Private]
Jacky=robusta

The Problem lies when the attacker gains a physical access to Xitami root directory and opens the file Defaults.Aut
the attacker may use this to gain administrator access to webserver Administration example: http://localhost/admin then the
attacker enters the username and the password that stores in defaults.aut then the attacker already gains a full access to the
web server administration site.

And if you try to put the password file to other folder next time you logon to Xitami WEb Administration site this error
will appear --> Abort at smthttp:Resolve-Virtual-Hostname: (Have-Client-Request, Finished-Event) And Causes the
Webserver to Un-usable and you need to re install the whole Application.

Work around:
Don't leave your Workstation or Server open to Physical Access to the root directory of Xitami web server always
change the default folder for the webserver instead of using C:\Xitami.

3] 3rd Vulnerability - Xitami Webserver and FTP Server for Win95/Win98 is Affected by /CON/CON exploit

Version Affected: Xitami Web Server release 2.5b4
for Win 95 / 98
Local : Yes
Remote: Yes
Risk: High

Problem Description:

- Xitami Webserver and FTP Server is still Vulnerable w/ /Con/Con bug of Windows 95 and 98 that causes the
Webserver and FTP Server to Shutdown/Crash and sometimes even the whole Operating System gets a Fatal Error. the
Application needs to re-start again to perform normal operation.

The Problem lies when the attacker send this request to the Webserver -->GET /con/con HTTP/1.0 by using
telnet client to execute this to remote host type -->Telnet <Target IP> 80 if you are already connected try to Execute the GET
/con/con HTTP/1.0 command then press Enter. The Server will Now crash or Shutdown and If the Operating System is Not Patch with Con/Con Bug.

On the FTP Server try to login as a Anonymous user or any user that allows access to FTP Server then execute
this Command Ftp>cd /con/con the FTP Server will disconnect you from remote host and it will Shutdown or Crash.

Work Around:
Install the Con/Con Bug PATCH to your Operating System, Patch is Available @ Microsoft Website or @ http://packetstormsecurity.org/Win/ConConFix2.zip coz` the bug also lies on ur O.S.

Vendor Status: iMatix Corporation has been notified of this Vulnerability but no patch has been issued yet.

NOTE:
Sorry for the grammar etc... coz` this is just a 5 Minute Exploit if u have some questions email me.. all spam mails and lame emails are just ignored. -zer0logic-

Related Links: Http://www.nssolution.net
Http://connect.to/nssi
Http://www.Digital-Defense-Network.Net


Feedback and Inquiries:
If you have any questions, inquiries, feedback, concerns and
updates pls don't hesitate to email us.

For Inquiries,Concerns and updates - Info@Nssolution.net

for Comments and Questions - Abraham@nssolution.net ,lincoln@privacyx.com
zer0logic@privacyx.com
IRC - Dal.net #DDN Undernet #Hackphreak

Copyright(c) 2000-2001 Network Security Solutions Inc.
Permission is herby granted for the redistribution of this alert
electronically. if you wish to reprint or modify this document Contact us
1st or email us at: info@Nssolution.Net
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close