Re: Multiple Vulnerabilties Sambar Webserver

From: Tamer Sahin (tsat_private)
Date: Tue Apr 02 2002 - 17:03:41 PST

Next message: Jorge Walters: "RE: [VulnWatch] vuln in wwwisis: remote command execution and get files"

Previous message: Marco de Vivo [UCV]: "Taxonomies"
Next in thread: Steven M. Christey: "Re: Multiple Vulnerabilties Sambar Webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This vulnerability already discovered in January of this year.

http://www.securityoffice.net/articles/sambar/
http://www.securityfocus.com/bid/3885

Best Regards;

Tamer Sahin
http://www.securityoffice.net

 > -----Original Message-----
 > From: NGSSoftware Insight Security Research Advisory (NISR)
 > [mailto:NISRat_private]
 > Sent: lundi 1 avril 2002 22:26
 > To: bugtraqat_private
 > Subject: Fw: Multiple Vulnerabilties in Sambar Server
 >
 >
 > ----- Original Message -----
 > From: NGSSoftware Insight Security Research Advisory (NISR)
 > To: bugtraqat_private
 > Sent: Monday, April 01, 2002 12:07 PM
 > Subject: Multiple Vulnerabilties in Sambar Server
 >
 >
 > NGSSoftware Insight Security Research Advisory
 >
 > Name:    Sambar Server 5.0 (server.exe)
 > Systems Affected:  WinNT, Win2K, XP
 > Severity:  High Risk
 > Category:  Buffer Overrun / DOS x 3
 > Vendor URL:   http://www.Sambar.com.com/
 > Author:   Mark Litchfield (markat_private)
 > Date:   1st April 2002
 > Advisory number: #NISR01042002
 >
 >
 > Description
 > ***********
 > Sambar Server is a web server that runs on Microsoft Windows 2000, 
XP, NT,
 > ME, 98 & 95 and is run as a Service on NT, 2000, & XP
 >
 > Details
 > *******
 >
 > BufferOverrun - By sending an overly long username and password, an 
access
 > violation occurs in MSVCRT.dll (Server.exe) overwriting the saved return
 > address with (in this case) 41414141.  As server.exe is started as a 
system
 > service, any execution of arbitary code would be run with system 
privilages.
 >
 > DOS 1)
 >
 > By suppling an overly long string to a specific HTTP header field an 
access
 > violation occurs in SAMBAR.DLL and kills server.exe
 >
 > DOS 2)
 >
 > GET /cgi-win/testcgi.exe?(long char string)
 >
 > DOS 3)
 >
 > GET /cgi-win/Pbcgi.exe?(long char string)
 >
 >
 > Fix Information
 > ***************
 > NGSSoftware alerted SAMBAR to these problems on 27th March 2002. The 
patches
 > are available from http://www.sambarserver.com/download/sambar51p.exe.
 > NGSSoftware would like to take this opportunity to thank Tod Sambar who
 > spent his Easter weekend creating these patches, demonstrating his
 > commitment to the security of his customers.
 >
 >
 > A check for these issues has been added to Typhon II, of which more
 > information is available from the
 > NGSSoftware website, http://www.ngssoftware.com.
 >
 > Further Information
 > *******************
 >
 > For further information about the scope and effects of buffer overflows,
 > please see
 >
 > http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
 > http://www.ngssoftware.com/papers/ntbufferoverflow.html
 > http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
 > http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Jorge Walters: "RE: [VulnWatch] vuln in wwwisis: remote command execution and get files"
Previous message: Marco de Vivo [UCV]: "Taxonomies"
Next in thread: Steven M. Christey: "Re: Multiple Vulnerabilties Sambar Webserver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 21:19:14 PST