[24919] in bugtraq
Re: Multiple Vulnerabilties Sambar Webserver
daemon@ATHENA.MIT.EDU (Tamer Sahin)
Wed Apr 3 00:19:22 2002
Message-ID: <3CAA54ED.5080408@securityoffice.net>
Date: Tue, 02 Apr 2002 17:03:41 -0800
From: Tamer Sahin <ts@securityoffice.net>
Reply-To: ts@securityoffice.net
MIME-Version: 1.0
To: bugtraq@securityfocus.com,
"NGSSoftware Insight Security Research Advisory (NISR)" <NISR@ngssoftware.com>,
vulndb@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
This vulnerability already discovered in January of this year.
http://www.securityoffice.net/articles/sambar/
http://www.securityfocus.com/bid/3885
Best Regards;
Tamer Sahin
http://www.securityoffice.net
> -----Original Message-----
> From: NGSSoftware Insight Security Research Advisory (NISR)
> [mailto:NISR@ngssoftware.com]
> Sent: lundi 1 avril 2002 22:26
> To: bugtraq@securityfocus.com
> Subject: Fw: Multiple Vulnerabilties in Sambar Server
>
>
> ----- Original Message -----
> From: NGSSoftware Insight Security Research Advisory (NISR)
> To: bugtraq@securityfocus.com
> Sent: Monday, April 01, 2002 12:07 PM
> Subject: Multiple Vulnerabilties in Sambar Server
>
>
> NGSSoftware Insight Security Research Advisory
>
> Name: Sambar Server 5.0 (server.exe)
> Systems Affected: WinNT, Win2K, XP
> Severity: High Risk
> Category: Buffer Overrun / DOS x 3
> Vendor URL: http://www.Sambar.com.com/
> Author: Mark Litchfield (mark@ngssoftware.com)
> Date: 1st April 2002
> Advisory number: #NISR01042002
>
>
> Description
> ***********
> Sambar Server is a web server that runs on Microsoft Windows 2000,
XP, NT,
> ME, 98 & 95 and is run as a Service on NT, 2000, & XP
>
> Details
> *******
>
> BufferOverrun - By sending an overly long username and password, an
access
> violation occurs in MSVCRT.dll (Server.exe) overwriting the saved return
> address with (in this case) 41414141. As server.exe is started as a
system
> service, any execution of arbitary code would be run with system
privilages.
>
> DOS 1)
>
> By suppling an overly long string to a specific HTTP header field an
access
> violation occurs in SAMBAR.DLL and kills server.exe
>
> DOS 2)
>
> GET /cgi-win/testcgi.exe?(long char string)
>
> DOS 3)
>
> GET /cgi-win/Pbcgi.exe?(long char string)
>
>
> Fix Information
> ***************
> NGSSoftware alerted SAMBAR to these problems on 27th March 2002. The
patches
> are available from http://www.sambarserver.com/download/sambar51p.exe.
> NGSSoftware would like to take this opportunity to thank Tod Sambar who
> spent his Easter weekend creating these patches, demonstrating his
> commitment to the security of his customers.
>
>
> A check for these issues has been added to Typhon II, of which more
> information is available from the
> NGSSoftware website, http://www.ngssoftware.com.
>
> Further Information
> *******************
>
> For further information about the scope and effects of buffer overflows,
> please see
>
> http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
> http://www.ngssoftware.com/papers/ntbufferoverflow.html
> http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
> http://www.ngssoftware.com/papers/unicodebo.pdf
