===================================================================== Security Corporation Security Advisory [SCSA-019] Gattaca Server 2003 Vulnerable to Multiple vulnerabilities ===================================================================== PROGRAM: Gattaca Server 2003 HOMEPAGE: www.gattaca-server.com VULNERABLE VERSIONS: 1.0.8.1 and prior ? RISK: Low/Medium IMPACT: Show file and directory content Denial of Service Directory Traversal Cross Site Scripting RELEASE DATE: 2003-07-10 Security Corporation's Free weekly Newsletter : http://www.security-corporation.com/newsletter.html ===================================================================== TABLE OF CONTENTS ===================================================================== 1..........................................................DESCRIPTION 2..............................................................DETAILS 3.............................................................EXPLOITS 4............................................................SOLUTIONS 5...........................................................WORKAROUND 6..................................................DISCLOSURE TIMELINE 7..............................................................CREDITS 8...........................................................DISCLAIMER 9...........................................................REFERENCES 10............................................................FEEDBACK 1. DESCRIPTION ===================================================================== Gattaca Server is "A high performance Windows NT based Mail and Web Server software for building own intranet. You may register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP protocols. Integrated with TMPL library, allow you write own CGI scripts" (direct quote from http://www.gattaca-server.com/) 2. DETAILS ===================================================================== - Shows file and directory content : When sending a GET with 2 slashes ("//"), then the server shows all files in the directory content. An attacker can see all hidden (non-HTML linked) files and directories on the server. - Denial of Service : A security vulnerability in Gattaca Server 2003 allows remote and local attackers to cause the server to crash by executing a specific command (LLIST) with a buffer of 1048 bytes in length or more. The command can be issued to the server either by using the Gattaca Console.(C:\WINNT\system32\gattaca.exe) - Directory Traversal : A security vulnerability in Gattaca Server 2003 allows remote attackers to gain access to system files. - Cross Site Scripting : A exploitable bug was found in Gattaca Server 2003 which cause script execution on client's computer by following a crafted url. This kind of attack known as "Cross-Site Scripting Vulnerability" is present in view2.tmpl file, an attacker can input specially crafted links and/or other malicious scripts. 3. EXPLOIT ===================================================================== - Show file and directory content : http://[target]// You will get this : http://www.security-corporation.com/download/SCSA-019.png - Denial of Service : In Gattaca Console : $> LLIST AAAA...[1024]...AAAA ggesvr32.exe crash at once. - Directory Traversal : http://[target]/view.tmpl?testfile=../../winnt/win.ini - Cross Site Scripting : http://[target]/view2.tmpl?text=[hostile_code] The hostile code could be : [script]alert("Cookie="+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by <>) 4. SOLUTIONS ===================================================================== No solution for the moment. Vendor fix bugs in the next release. 5. WORKAROUND ===================================================================== - Show file and directory content : Vendor response : For fix this issue, you also need provide additional task http://[target]// 2 ways: 1) Open notepad %systemroot%\gattaca.ini and remove extension for configuration file ==================================== [GATTACA] PATH=C:\GeeOSPub ENVIRONMENT=C:\GeeOSPub\wwwroot\.config SITE=C:\GeeOSPub\wwwroot\.config ==================================== Last 2 strings maybe removed, restarting is not needed. New configuration settings will be updated by Gattaca Server in 15 seconds. ==================================== [GATTACA] PATH=C:\GeeOSPub #ENVIRONMENT=C:\GeeOSPub\wwwroot\.config #SITE=C:\GeeOSPub\wwwroot\.config ==================================== but you got problem with site sample, and best way is: 2) You may update C:\GeeOSPub\wwwroot\.config file too, it also has structure ===================== [HTTPFOLDER] /=1 ===================== Changed it to ===================== [HTTPFOLDER] /=0 ===================== Also if you need view directory index of any folder append your variables look like: = where status is 1 allowed to view, and 0 disabled view. for example: [HTTPFOLDER] /=0 /pub=1 /pub/private=0 Also it is impossible view files started with dot (like .config etc), if any clients want hide some files from directory index they should start names of files from dot. It's by design. - Denial of Service : Vendor response : For LLIST command, this is real problem too. But it's possible limit access to computer where Gattaca Server installed. - Directory Traversal : Remove view.tmpl - Cross Site Scripting : Use the function php eregi_replace to filter the input data or remove view2.tmpl Vendor response : For exploit (http://[target]/view2.tmpl?text=[hostile_code]) it is not bug, because response to this GET/POST request got only attacker. And it impossible to control server response to another client(s). It's by design. This script (view2.tmpl) made for this purposes (allowing end-user insert own code/text to output html), and if this work it is fine. This mean that Gattaca Server properly configured, and work well. For our opinion this is not bug or exploid, it is possible send data to this script using GET/POST (POST it's better because client can send more data) 6. DISCLOSURE TIMELINE ===================================================================== 08/07/2003 Vulnerability discovered 08/07/2003 Vendor notified 09/07/2003 Vendor response 09/07/2003 Security Corporation clients notified 09/07/2003 Started e-mail discussions 10/07/2003 Last e-mail received 10/07/2003 Public disclosure 7. CREDITS ===================================================================== Discovered by Gregory Le Bras 8. DISLAIMER ===================================================================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ===================================================================== - Original Version: http://www.security-corporation.com/advisories-019.html - Version Française: http://www.security-corporation.com/index.php?id=advisories&a=019-FR 10. FEEDBACK ===================================================================== Please send suggestions, updates, and comments to: Security Corporation http://www.security-corporation.com info@security-corporation.com