Fw: Multiple Vulnerabilties in Sambar Server

From: NGSSoftware Insight Security Research Advisory (NISR) (NISRat_private)
Date: Mon Apr 01 2002 - 12:26:13 PST

Next message: Matt Burleigh: "Re: Zope security address"

Previous message: Rossen Raykov: "Zope security address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: NGSSoftware Insight Security Research Advisory (NISR)
To: bugtraqat_private
Sent: Monday, April 01, 2002 12:07 PM
Subject: Multiple Vulnerabilties in Sambar Server

NGSSoftware Insight Security Research Advisory

Name:    Sambar Server 5.0 (server.exe)
Systems Affected:  WinNT, Win2K, XP
Severity:  High Risk
Category:  Buffer Overrun / DOS x 3
Vendor URL:   http://www.Sambar.com.com/
Author:   Mark Litchfield (markat_private)
Date:   1st April 2002
Advisory number: #NISR01042002

Description
***********
Sambar Server is a web server that runs on Microsoft Windows 2000, XP, NT,
ME, 98 & 95 and is run as a Service on NT, 2000, & XP

Details
*******

BufferOverrun - By sending an overly long username and password, an access
violation occurs in MSVCRT.dll (Server.exe) overwriting the saved return
address with (in this case) 41414141.  As server.exe is started as a system
service, any execution of arbitary code would be run with system privilages.

DOS 1)

By suppling an overly long string to a specific HTTP header field an access
violation occurs in SAMBAR.DLL and kills server.exe

DOS 2)

GET /cgi-win/testcgi.exe?(long char string)

DOS 3)

GET /cgi-win/Pbcgi.exe?(long char string)

Fix Information
***************
NGSSoftware alerted SAMBAR to these problems on 27th March 2002. The patches
are available from http://www.sambarserver.com/download/sambar51p.exe.
NGSSoftware would like to take this opportunity to thank Tod Sambar who
spent his Easter weekend creating these patches, demonstrating his
commitment to the security of his customers.

A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Matt Burleigh: "Re: Zope security address"
Previous message: Rossen Raykov: "Zope security address"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 15:45:16 PST