BugTraq
Back to list
|
Post reply
Sambar Server : Crashing service with search.pl
Jun 21 2003 10:02AM
Lorenzo Manuel Hernandez Garcia-Hierro (security lorenzohgh com)
--------------------
Product: Sambar Server
Vendor: Sambar Technologies
Versions:
VULNERABLE
- 6.0 ?
- 5.x
- 4.x
- 3.x
NOT VULNERABLE
- ?
---------------------
Description:
Multi-threaded, extensible Application Server with highly programmable
API
Virtual domain support (currently name based) with independent
document/CGI directories, log files, and error templates.
HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download
resume) support
Dynamic content compression
HTTPS (SSL) 128-bit encrytion support (OpenSSL included)
Integrated Log File Analysis
Documents and images can be cached in memory for performance
Document and CGI directory aliasing
Customizable and scriptable error templates allow database and email
notification.
Graphing performance monitors and automatic log file report generation.
Bandwidth and per-user throttling.
Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows
connections to most database types (Oracle, MS-SQL, MySQL, Access, etc)
Built-in SQL RDBMS (SQLite) for prototyping and modest projects.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a buffer overflow vulnerability in the search system by
perl file ( search.pl ) , with this you can
corrupt the stack . The failure occurs when you send a specially crafted
query.
---------------------
| BUFFER OVERFLOW |
| IN SEARCH.PL |
---------------------
Code with the hole:
_______________________________________________________
# Buffer the POST content
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Process the name=value argument pairs
my $pair;
my $name;
my $value;
my @args = split(/&/, $buffer);
foreach $pair (@args)
{
($name, $value) = split(/=/, $pair);
# Unescape the argument value
$value =~ tr/+/ /; <--- LOOK HERE
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
# Save the name=value pair for use below.
$FORM{$name} = $value;
}
________________________________________________________
Proof of Concepts:
You must do a request in post mode to the search.pl script with the
following content:
QUERY TO USE FOR THE BUFFER OVERFLOW:
.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0
You can send other queries including + and . too but you must include
other characters.
I think that the problem is in the form that search.pl recognices the
query logic operator and the +.
The search.pl crashes and the sambar server crashes too, if you continue
sending this requests the server machine
must be restarted. The search.pl script doesn't have a limit of
characters in the query.
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
--------------------
Product: Sambar Server
Vendor: Sambar Technologies
Versions:
VULNERABLE
- 6.0 ?
- 5.x
- 4.x
- 3.x
NOT VULNERABLE
- ?
---------------------
Description:
Multi-threaded, extensible Application Server with highly programmable
API
Virtual domain support (currently name based) with independent
document/CGI directories, log files, and error templates.
HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download
resume) support
Dynamic content compression
HTTPS (SSL) 128-bit encrytion support (OpenSSL included)
Integrated Log File Analysis
Documents and images can be cached in memory for performance
Document and CGI directory aliasing
Customizable and scriptable error templates allow database and email
notification.
Graphing performance monitors and automatic log file report generation.
Bandwidth and per-user throttling.
Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows
connections to most database types (Oracle, MS-SQL, MySQL, Access, etc)
Built-in SQL RDBMS (SQLite) for prototyping and modest projects.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered a buffer overflow vulnerability in the search system by
perl file ( search.pl ) , with this you can
corrupt the stack . The failure occurs when you send a specially crafted
query.
---------------------
| BUFFER OVERFLOW |
| IN SEARCH.PL |
---------------------
Code with the hole:
_______________________________________________________
# Buffer the POST content
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Process the name=value argument pairs
my $pair;
my $name;
my $value;
my @args = split(/&/, $buffer);
foreach $pair (@args)
{
($name, $value) = split(/=/, $pair);
# Unescape the argument value
$value =~ tr/+/ /; <--- LOOK HERE
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
# Save the name=value pair for use below.
$FORM{$name} = $value;
}
________________________________________________________
Proof of Concepts:
You must do a request in post mode to the search.pl script with the
following content:
QUERY TO USE FOR THE BUFFER OVERFLOW:
.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0
You can send other queries including + and . too but you must include
other characters.
I think that the problem is in the form that search.pl recognices the
query logic operator and the +.
The search.pl crashes and the sambar server crashes too, if you continue
sending this requests the server machine
must be restarted. The search.pl script doesn't have a limit of
characters in the query.
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
[ reply ]