COMMAND

    Sambar

SYSTEMS AFFECTED

    Sambar Server 4.3

PROBLEM

    Following  is  based  on  Delphis  Consulting  Plc  Security  Team
    Advisory.   It  wastested  on  Windows  NT v4.0 Workstation (SP6).
    Delphis Consulting Internet  Security Team (DCIST)  discovered the
    following vulnerability in the Sambar Server under Windows NT.

    By using the default finger  script shipped with Sambar server  it
    is possible to cause  an Buffer overrun in  sambar.dll overwriting
    the EIP allowing the execution of  arbitry code.  This is done  by
    sending a large hostname in the required field.  The string has to
    be a  length of  32286 +  EIP (4  bytes) making  a total  of 32290
    bytes.  Using,  GET /session/finger?host=long_string_here you  can
    still make it (providing an url can be that long).  Or better, use
    a POST request, posted from another computer to the Sambar Server.

    From the research it seems the problem also exists in a number  of
    scripts which rely on  sambar dll functionality this  includes but
    is not limited to:

        o whois demonstration script
        o finger demonstration script

SOLUTION

    The  only  fix,  is  to  change  or  remove  the following line in
    config.ini, as follows:

        INIT = samples.dll:netutils_init

    to:

        # INIT = samples.dll:netutils_init