TUCoPS :: Web :: Servers :: bt599.txt

Gattaca Server 2003 Vulnerable to Multiple vulnerabilities




=====================================================================

Security Corporation Security Advisory [SCSA-019]



Gattaca Server 2003 Vulnerable to Multiple vulnerabilities

=====================================================================



PROGRAM: Gattaca Server 2003

HOMEPAGE: www.gattaca-server.com

VULNERABLE VERSIONS: 1.0.8.1 and prior ?

RISK: Low/Medium

IMPACT: Show file and directory content

Denial of Service

Directory Traversal

Cross Site Scripting

RELEASE DATE: 2003-07-10



Security Corporation's Free weekly Newsletter :

http://www.security-corporation.com/newsletter.html



=====================================================================

TABLE OF CONTENTS

=====================================================================



1..........................................................DESCRIPTION

2..............................................................DETAILS

3.............................................................EXPLOITS

4............................................................SOLUTIONS

5...........................................................WORKAROUND

6..................................................DISCLOSURE TIMELINE

7..............................................................CREDITS

8...........................................................DISCLAIMER

9...........................................................REFERENCES

10............................................................FEEDBACK



1. DESCRIPTION

=====================================================================



Gattaca Server is "A high performance Windows NT based Mail and Web

Server software for building own intranet. You may register unlimited

users, use unlimited domains. Supporting POP3, SMTP, and HTTP

protocols.

Integrated with TMPL library, allow you write own CGI scripts"



(direct quote from http://www.gattaca-server.com/)





2. DETAILS

=====================================================================



- Shows file and directory content :



When sending a GET with 2 slashes ("//"), then the server shows all

files in the directory content. An attacker can see all hidden

(non-HTML linked) files and directories on the server.





- Denial of Service :



A security vulnerability in Gattaca Server 2003 allows remote and

local attackers to cause the server to crash by executing a specific

command (LLIST) with a buffer of 1048 bytes in length or more.



The command can be issued to the server either by using the Gattaca

Console.(C:\WINNT\system32\gattaca.exe)





- Directory Traversal :



A security vulnerability in Gattaca Server 2003 allows remote

attackers to gain access to system files.





- Cross Site Scripting :



A exploitable bug was found in Gattaca Server 2003 which cause

script execution on client's computer by following a crafted url.



This kind of attack known as "Cross-Site Scripting Vulnerability"

is present in view2.tmpl file, an attacker can input specially crafted

links and/or other malicious scripts.









3. EXPLOIT

=====================================================================



- Show file and directory content :



http://[target]//



You will get this :

http://www.security-corporation.com/download/SCSA-019.png





- Denial of Service :



In Gattaca Console :



$> LLIST AAAA...[1024]...AAAA



ggesvr32.exe crash at once.





- Directory Traversal :



http://[target]/view.tmpl?testfile=../../winnt/win.ini





- Cross Site Scripting :



http://[target]/view2.tmpl?text=[hostile_code]



The hostile code could be :



[script]alert("Cookie="+document.cookie)[/script]



(open a window with the cookie of the visitor.)



(replace [] by <>)











4. SOLUTIONS

=====================================================================



No solution for the moment. Vendor fix bugs in the next release.





5. WORKAROUND

=====================================================================



- Show file and directory content :



Vendor response :



For fix this issue, you also need provide additional task



http://[target]//



2 ways:



1) Open notepad %systemroot%\gattaca.ini and remove extension for

configuration file



====================================

[GATTACA]

PATH=C:\GeeOSPub

ENVIRONMENT=C:\GeeOSPub\wwwroot\.config

SITE=C:\GeeOSPub\wwwroot\.config

====================================



Last 2 strings maybe removed, restarting is not needed.

New configuration settings will be updated by Gattaca

Server in 15 seconds.



====================================

[GATTACA]

PATH=C:\GeeOSPub

#ENVIRONMENT=C:\GeeOSPub\wwwroot\.config

#SITE=C:\GeeOSPub\wwwroot\.config

====================================



but you got problem with site sample, and best way is:



2) You may update C:\GeeOSPub\wwwroot\.config file too, it also has

structure



=====================

[HTTPFOLDER]

/=1

=====================



Changed it to



=====================

[HTTPFOLDER]

/=0

=====================



Also if you need view directory index of any folder append your

variables look like:



<url>=<status>



where status is 1 allowed to view, and 0 disabled view.

for example:



[HTTPFOLDER]

/=0

/pub=1

/pub/private=0



Also it is impossible view files started with dot (like .config etc), if

any clients want hide some files from directory index they should start

names of files from dot. It's by design.





- Denial of Service :



Vendor response :



For LLIST command, this is real problem too. But it's possible limit

access to computer where Gattaca Server installed.



- Directory Traversal :



Remove view.tmpl





- Cross Site Scripting :



Use the function php eregi_replace to filter the input data or

remove view2.tmpl



Vendor response :



For exploit (http://[target]/view2.tmpl?text=[hostile_code]) it is not

bug, because response to this GET/POST request got only attacker. And it

impossible to control server response to another client(s). It's by

design. This script (view2.tmpl) made for this purposes (allowing

end-user insert own code/text to output html), and if this work it is

fine. This mean that Gattaca Server properly configured, and work well.

For our opinion this is not bug or exploid, it is possible send data to

this script using GET/POST (POST it's better because client can send

more data)





6. DISCLOSURE TIMELINE

=====================================================================



08/07/2003 Vulnerability discovered

08/07/2003 Vendor notified

09/07/2003 Vendor response

09/07/2003 Security Corporation clients notified

09/07/2003 Started e-mail discussions

10/07/2003 Last e-mail received

10/07/2003 Public disclosure





7. CREDITS

=====================================================================



Discovered by Gregory Le Bras <gregory.lebras@security-corporation.com>





8. DISLAIMER

=====================================================================



The information within this paper may change without notice. Use of

this information constitutes acceptance for use in an AS IS condition.

There are NO warranties with regard to this information. In no event

shall the author be liable for any damages whatsoever arising out of

or in connection with the use or spread of this information. Any use

of this information is at the user's own risk.





9. REFERENCES

=====================================================================



- Original Version:

http://www.security-corporation.com/advisories-019.html



- Version Française:

http://www.security-corporation.com/index.php?id=advisories&a=019-FR





10. FEEDBACK

=====================================================================



Please send suggestions, updates, and comments to:



Security Corporation

http://www.security-corporation.com

info@security-corporation.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH