Re: Local / Remote GET Buffer Overflow Vulnerability in ZBServer 1.5 Pro Edition for Win98/NT

[devix () CANADA COM (Chris)]

I discovered this over 2 years ago and told them about it [summer '97], but I
guess they are just to lazy to care about security..  There is infact many more
problems with ZBServer Pro and Personal that I found out as well. Lets see if i
can recall them correctly. I don't have a windows machine handy to test them
out.

If you goto a url like http://zbserver.com/cgi-bin/./prog.exe it will send you
the .exe file instead of processing it.. same goes for the server side includes
you may have in your pages [http://zbserver.com/./index.html]. Very very bad
thing to do. =)

Also, and I believe this was only in the Personal edition but I may be wrong, if
you call up a dos cgi program with a url like http://zbserver.com/cgi-bin/[26
periods]/cgi.bat it will open a dos window on your desktop instead of running
the program it's supposed to.. This could lead to a DoS attack by opening 500
dos prompts on the desktop, and slowly using up memory. If i can find the file
I wrote up on all this, I'll pass it along.

I could be wrong about the details in that last paragraph, but I know it can be
done!

PS: If you are using the shareware version without registering, and it appends
that line 'Powered by ZBServer Pro' or something to that affect on the bottom
of every html page, you can very easily search out potential victims using
altavista..

I'm sure if you poke around you can discover more problems.

-devix
http://devix.dhs.org
PGP key available

 On Wed, 22 Dec 1999, you wrote: > Local / Remote GET Buffer Overflow
Vulnerability in ZBServer 1.5 Pro Edition > for Win98/NT >
> USSR Advisory Code:   USSR-99024
>
> Release Date:
> December 23, 1999
>
> Systems Affected:
> ZBServer 1.5 Pro Edition for Win98/NT and possibly others versions.
>
> About The Software:
> ZBServer Pro Edition is a full-featured Internet/Intranet server software
> package that includes HTTP (web), Gopher, FTP and Chat Services.
> Fast, inexpensive and easy-to-use, ZBServer Pro is small enough to run
> in the background of your Windows 95 or NT computer to provide users with
> full or restricted access to files, graphics, sounds or movies.
> ZBServer Pro can provide organizations of all sizes enterprise-wide web
> service to internal and external TCP/IP network users
>
> THE PROBLEM
>
> UssrLabs found a Local / Remote Buffer overflow, The code that handles GET
> commands
> has an unchecked buffer that will allow arbitrary code to be executed if it
> is overflowed.
>
>
> Do you do the w00w00?
> This advisory also acts as part of w00giving. This is another contribution
> to w00giving for all you w00nderful people out there. You do know what
> w00giving is don't you? http://www.w00w00.org/advisories.html
>
> Binary or source for this Exploit:
>
> http://www.ussrback.com/
>
> Vendor Status:
> i email the vendor, and i dont have a responce :(
>
> Vendor   Url: http://www.zbserver.com/
> Program Url: http://www.zbsoft.com/zbserver/index.htm
>
> Credit: USSRLABS
>
> SOLUTION
>  Noting yet.
>
> Greetings:
> Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
> Wiretrip.
>
> u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
> http://www.ussrback.com