SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Shambala Server Vendors:   Evolvable Corporation
Shambala Server Discloses Clear Text Passwords to Authenticated Remote Users Via FTP and Also Lets Remote Users Crash the Web Server
SecurityTracker Alert ID:  1004426
SecurityTracker URL:  http://securitytracker.com/id/1004426
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 31 2002
Impact:   Denial of service via network, Disclosure of authentication information, User access via network
Exploit Included:  Yes  
Version(s): 4.5
Description:   Two vulnerabilities were reported in the Shambala Server. An authenticated remote user can obtain clear text passwords from the FTP server (and a local user can also view these passwords). A remote user can cause the web server to crash.

Telhack 026 reported these two vulnerabilities in Shambala Server version 4.5.

It was reported in previous years that the FTP server is vulnerable to a directory traversal attack, allowing remote authenticated users (including anonymous users) to view the entire directory structure and download any file located outside of the FTP root document directory. Apparently, one of the files on the system contains plain text passwords for the Shambala Server, located one directory above the web root directory. So, a local user can view the password file. But due to the directory traversal flaw, any authenticated remote user can view the passwords in the password file.

A remote user can cause the web server to crash by sending the following type of HTTP GET request:

GET !"# %&/()=?

Impact:   A remote authenticated user can obtain plain text passwords from the FTP server. A local user can view the password file that contains plain text passwords. A remote user can cause the web server to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.evolvable.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS


  Telhack 026 Inc. Security Advisory - #3
_________________________________________

Name: Shambala Server 4.5
Impact: Major (FTP Server vuln.), Medium (Web Server vuln.)
Date: June 30 / 2002
_________________________________________




_I N F O_

Shambala Server is a personal Web/FTP server for Win 9*/NT.
When the web server is started it also starts the integrated
FTP server. There are are two previous issues that has been
disclosed on bugtraq  by zillion in 2000 but he seem to have
missed these things.

Both of them: http://online.securityfocus.com/archive/1/138501

Vendor is at: http://www.evolvable.com , and yes, they were notified,
see bottom.



_P R O B L E M_

The integrated FTP server is vulnerable to a directory traversal
attack, that enables attackers to view the entire directory
structure and also download any file in it. There are also a
DoS condition present in the web server.



_I M P A C T_

An authenticated user may view any directory and/or download
any file on the system. An authenticated user may use this
to download the !_cleartext_! password file that lies one ..
below the web root.

I have also found a DoS condition in the Web server that
generates "Run-time error'5': Invalid procedure call or argument"
and crashes the server.

According to www.download.com, the program has been downloaded
57,957 times and 40 times last week. So it seems like this program
is still at use.



_E X P L O I T I N G_

Directory traversal / get any file
----------------------------------
ftp> ls ../../../  - and so on...
ftp> get ../../../ - and so on...

DoS condition in the Web server
-------------------------------
you# telnet 192.168.0.11 80
Trying 192.168.0.11...
Connected to 192.168.0.11.
Escape character is '^]'.
Connection closed by foreign host.
you#



_F I X E S_

Spent almost 20 minutes digging in the evolvable.com website for
an e-mail adress to contact them by, but none found. So I ended
up taking the e-mail adress from another (2 year old) advisory.
Still no reply. So the fix for now is: Uninstall Shambala.





http://www.swesec.tk
http://www.telhack.tk


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC