Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: bt468.txt

Sambar Server : Crashing service with search.pl







--------------------

Product: Sambar Server

Vendor: Sambar Technologies 

Versions:

         VULNERABLE

         

         - 6.0 ?

         - 5.x

         - 4.x

         - 3.x

        

         NOT VULNERABLE

        

         - ?

---------------------



Description:



Multi-threaded, extensible Application Server with highly programmable 

API 

Virtual domain support (currently name based) with independent 

document/CGI directories, log files, and error templates. 

HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download 

resume) support 

Dynamic content compression 

HTTPS (SSL) 128-bit encrytion support (OpenSSL included) 

Integrated Log File Analysis 

Documents and images can be cached in memory for performance 

Document and CGI directory aliasing 

Customizable and scriptable error templates allow database and email 

notification.



Graphing performance monitors and automatic log file report generation. 

Bandwidth and per-user throttling. 

Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows 

connections to most database types (Oracle, MS-SQL, MySQL, Access, etc) 

Built-in SQL RDBMS (SQLite) for prototyping and modest projects. 



-----------------------------------------

SECURITY HOLES FOUND and PROOFS OF CONCEPT:

-----------------------------------------

 

I encountered a buffer overflow vulnerability in the search system by 

perl file ( search.pl ) , with this you can

corrupt the stack . The failure occurs when you send a specially crafted 

query.



---------------------

| BUFFER OVERFLOW   |

| IN SEARCH.PL      |

---------------------



Code with the hole:

_______________________________________________________

# Buffer the POST content

 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});



 # Process the name=value argument pairs

 my $pair;

 my $name;

 my $value;

 my @args = split(/&/, $buffer);



 foreach $pair (@args) 

 {

  ($name, $value) = split(/=/, $pair);



  # Unescape the argument value 

  $value =~ tr/+/ /;                <---  LOOK HERE

  $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;



  # Save the name=value pair for use below.

  $FORM{$name} = $value;

 }

________________________________________________________



 

Proof of Concepts:



You must do a request in post mode to the search.pl script with the 

following content:





QUERY TO USE FOR THE BUFFER OVERFLOW:



.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0



You can send other queries including + and . too but you must include 

other characters.



I think that the problem is in the form that search.pl recognices the 

query logic operator and the +.

The search.pl crashes and the sambar server crashes too, if you continue 

sending this requests the server machine

must be restarted. The search.pl script doesn't have a limit of 

characters in the query.



-----------

| CONTACT |

-----------



Lorenzo Hernandez Garcia-Hierro

 --- Computer Security Analyzer ---

 --Nova Projects Professional Coding--

 PGP: Keyfingerprint

 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2

 ID: 0x9C38E1D7

 **********************************

 www.novappc.com

 security.novappc.com

 www.lorenzohgh.com

 ______________________


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH