xitami-2.5b4.txt

`Network Security Solutions Inc. Security AdvisorY  
(Philippine based Security Company)  
  
Http://www.Nssolution.net  
Http://connect.to/nssi  
  
]*** Xitami WEB/FTP release 2.5b4 Server Multiple Security Vulnerabilities ***[  
  
Author: Abraham Lincoln   
handle: zer0logic  
  
Email : [email protected], [email protected],  
[email protected]  
  
Date Discovered: November 29, 2000  
Vendor: iMatix Corporation  
  
Disclaimer:  
This paper is intended for informational purpose only. The Author is not  
responsible for the the Use and/or potential effects of these advisories.  
Read this at your own risk! or not at all.  
  
  
1] 1st Vulnerability - TestCgi.exe file vulnerability  
  
Version Affected: Xitami Web Server release 2.5b4  
for Win 95 / 98 / NT / Win2k  
Local : Yes  
Remote: Yes  
Risk: Medium  
  
Problem Description:  
  
- Xitami Webservers default installation /Cgi-Bin directory has a Vulnerability that allows remote users to View   
information regarding your system and Webserver's Directory by executing TestCgi.exe using your browser sample:   
Http://www.Target.com/cgi-bin/testcgi   
  
Sample output:  
  
Environment Variables  
  
COMPUTERNAME = MYSERVER  
COMSPEC = C:\WINNT\system32\cmd.exe  
HOMEDRIVE = C:  
HOMEPATH = \  
LOGONSERVER = \\MYSERVER  
NUMBER_OF_PROCESSORS = 1  
OS = Windows_NT  
OS2LIBPATH = C:\WINNT\system32\os2\dll;  
PATH = C:\WINNT\system32;C:\WINNT  
PROCESSOR_ARCHITECTURE = x86  
PROCESSOR_IDENTIFIER = x86 Family 6 Model 8 Stepping 3, GenuineIntel  
PROCESSOR_LEVEL = 6  
PROCESSOR_REVISION = 0803  
SYSTEMDRIVE = C:  
SYSTEMROOT = C:\WINNT  
TEMP = C:\TEMP  
TMP = C:\TEMP  
USERDOMAIN = MYSERVER  
USERNAME = Administrator  
USERPROFILE = C:\WINNT\Profiles\Administrator  
WINDIR = C:\WINNT  
HTTP_ACCEPT_CHARSET = iso-8859-1,*,utf-8  
HTTP_ACCEPT_LANGUAGE = en  
HTTP_ACCEPT_ENCODING = gzip  
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*  
HTTP_HOST = 127.0.0.1  
HTTP_USER_AGENT = Mozilla/4.75 [en] (WinNT; U)  
HTTP_CONNECTION = Keep-Alive  
HTTP_CONTENT_LENGTH = 0  
SERVER_SOFTWARE = Xitami  
SERVER_VERSION = 2.5b4  
SERVER_NAME = 127.0.0.1  
SERVER_URL = http://127.0.0.1/  
SERVER_PORT = 0  
SERVER_PROTOCOL = HTTP/1.1  
SERVER_SECURITY = -  
GATEWAY_INTERFACE = CGI/1.1  
REQUEST_METHOD = GET  
QUERY_METHOD = GET  
SCRIPT_PATH = cgi-bin  
SCRIPT_NAME = /cgi-bin/testcgi  
CONTENT_TYPE =  
CONTENT_LENGTH = 0  
REMOTE_USER = -  
REMOTE_HOST = 127.0.0.1  
REMOTE_ADDR = 127.0.0.1  
PATH_INFO =  
PATH_TRANSLATED = C:/Xitami/webpages  
DOCUMENT_ROOT = C:/Xitami/webpages  
CGI_ROOT = C:/Xitami/cgi-bin  
CGI_URL = /cgi-bin  
CGI_STDIN = C:\TEMP\pipe0001.cgi  
CGI_STDOUT = C:\TEMP\pipe0001.cgo  
CGI_STDERR = cgierr.log  
  
The Problem lies in the Default Installation of Xitami Webserver in /cgi-bin directory where testcgi.exe is located.  
this problem could allow a malicious user to gain information about your system that can be used to Penetrate the whole   
system.  
  
Work Around:  
Delete testcgi.exe file, or disable cgi-bin directory in Xitami Administration under cgi properties and always don't use   
any default installation always re configure your webserver after installing. Read some articles regarding WWW Security FAQ   
and CGI Vulnerabilities @ http://www.w3.org/Security/Faq/  
  
  
2] 2nd Vulnerability - Plain text Password vulnerability  
  
Version Affected: Xitami Web Server release 2.5b4  
for Win 95 / 98 / NT / Win2k  
Local : Yes  
Remote: No  
Risk: Medium  
  
Problem Description:  
- I Discovered that Xitami WEbserver is storing Plain Text Password of Xitami Webserver Administration to   
defaults.aut file in default installation folder of Xitami webserver w/c is C:\Xitami. even if you gonna change the installation folder   
its still the the same.   
Example:  
defaults.aut   
# Created at installation time   
#  
[/Admin]  
admin="root123" <----- admin=username password=root123   
[Private]  
Jacky=robusta  
  
The Problem lies when the attacker gains a physical access to Xitami root directory and opens the file Defaults.Aut  
the attacker may use this to gain administrator access to webserver Administration example: http://localhost/admin then the   
attacker enters the username and the password that stores in defaults.aut then the attacker already gains a full access to the   
web server administration site.  
  
And if you try to put the password file to other folder next time you logon to Xitami WEb Administration site this error   
will appear --> Abort at smthttp:Resolve-Virtual-Hostname: (Have-Client-Request, Finished-Event) And Causes the   
Webserver to Un-usable and you need to re install the whole Application.  
  
Work around:  
Don't leave your Workstation or Server open to Physical Access to the root directory of Xitami web server always   
change the default folder for the webserver instead of using C:\Xitami.  
  
3] 3rd Vulnerability - Xitami Webserver and FTP Server for Win95/Win98 is Affected by /CON/CON exploit  
  
Version Affected: Xitami Web Server release 2.5b4  
for Win 95 / 98   
Local : Yes  
Remote: Yes  
Risk: High  
  
Problem Description:  
  
- Xitami Webserver and FTP Server is still Vulnerable w/ /Con/Con bug of Windows 95 and 98 that causes the   
Webserver and FTP Server to Shutdown/Crash and sometimes even the whole Operating System gets a Fatal Error. the   
Application needs to re-start again to perform normal operation.  
  
The Problem lies when the attacker send this request to the Webserver -->GET /con/con HTTP/1.0 by using   
telnet client to execute this to remote host type -->Telnet <Target IP> 80 if you are already connected try to Execute the GET   
/con/con HTTP/1.0 command then press Enter. The Server will Now crash or Shutdown and If the Operating System is Not Patch with Con/Con Bug.  
  
On the FTP Server try to login as a Anonymous user or any user that allows access to FTP Server then execute   
this Command Ftp>cd /con/con the FTP Server will disconnect you from remote host and it will Shutdown or Crash.  
  
Work Around:  
Install the Con/Con Bug PATCH to your Operating System, Patch is Available @ Microsoft Website or @ http://packetstormsecurity.org/Win/ConConFix2.zip coz` the bug also lies on ur O.S.  
  
Vendor Status: iMatix Corporation has been notified of this Vulnerability but no patch has been issued yet.  
  
NOTE:   
Sorry for the grammar etc... coz` this is just a 5 Minute Exploit if u have some questions email me.. all spam mails and lame emails are just ignored. -zer0logic-  
  
Related Links: Http://www.nssolution.net  
Http://connect.to/nssi  
Http://www.Digital-Defense-Network.Net   
  
  
Feedback and Inquiries:  
If you have any questions, inquiries, feedback, concerns and  
updates pls don't hesitate to email us.  
  
For Inquiries,Concerns and updates - [email protected]  
  
for Comments and Questions - [email protected] ,[email protected]  
[email protected]   
IRC - Dal.net #DDN Undernet #Hackphreak  
  
Copyright(c) 2000-2001 Network Security Solutions Inc.  
Permission is herby granted for the redistribution of this alert  
electronically. if you wish to reprint or modify this document Contact us  
1st or email us at: [email protected]  
`