('binary' encoding is not supported, stored as-is) -------------------- Product: Sambar Server Vendor: Sambar Technologies Versions: VULNERABLE - 6.0 ? - 5.x - 4.x - 3.x NOT VULNERABLE - ? --------------------- Description: Multi-threaded, extensible Application Server with highly programmable API Virtual domain support (currently name based) with independent document/CGI directories, log files, and error templates. HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download resume) support Dynamic content compression HTTPS (SSL) 128-bit encrytion support (OpenSSL included) Integrated Log File Analysis Documents and images can be cached in memory for performance Document and CGI directory aliasing Customizable and scriptable error templates allow database and email notification. Graphing performance monitors and automatic log file report generation. Bandwidth and per-user throttling. Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows connections to most database types (Oracle, MS-SQL, MySQL, Access, etc) Built-in SQL RDBMS (SQLite) for prototyping and modest projects. ----------------------------------------- SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- I encountered a buffer overflow vulnerability in the search system by perl file ( search.pl ) , with this you can corrupt the stack . The failure occurs when you send a specially crafted query. --------------------- | BUFFER OVERFLOW | | IN SEARCH.PL | --------------------- Code with the hole: _______________________________________________________ # Buffer the POST content read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); # Process the name=value argument pairs my $pair; my $name; my $value; my @args = split(/&/, $buffer); foreach $pair (@args) { ($name, $value) = split(/=/, $pair); # Unescape the argument value $value =~ tr/+/ /; <--- LOOK HERE $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # Save the name=value pair for use below. $FORM{$name} = $value; } ________________________________________________________ Proof of Concepts: You must do a request in post mode to the search.pl script with the following content: QUERY TO USE FOR THE BUFFER OVERFLOW: .+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0 You can send other queries including + and . too but you must include other characters. I think that the problem is in the form that search.pl recognices the query logic operator and the +. The search.pl crashes and the sambar server crashes too, if you continue sending this requests the server machine must be restarted. The search.pl script doesn't have a limit of characters in the query. ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________
This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 13:47:51 PDT