def-2001-25: Carello E-Commerce Arbitrary Command Execution

From: Peter Gründl (peter.grundlat_private)
Date: Mon May 14 2001 - 04:13:24 PDT

Next message: Sylwester : "Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]"

Previous message: Santi Claus: "iPlanet Web Server 4.1 SP 4-7 Product Alert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

======================================================================
                  Defcom Labs Advisory def-2001-25

           Carello E-Commerce Arbitrary Command Execution

Author: Peter Gründl <peter.grundlat_private>
Release Date: 2001-05-14
======================================================================
------------------------=[Brief Description]=-------------------------
A malicious user can execute arbitrary commands on the E-Commerce
server with the privileges of the web server.

------------------------=[Affected Systems]=--------------------------
- Carello E-Commerce V1.2.1 for Windows NT

----------------------=[Detailed Description]=------------------------
The Carello.dll utilizes full physical path to execute Carello scripts
instead of paths relative to the webroot. Some input validation has
been inserted in the program, but not to a sufficient degree, as can
be seen from the following example:

(The following URL has been wrapped for readability)

http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&
VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt

The example will result in INETINFO.EXE spiking at 100% CPU and the
web server will no longer answer HTTP requests. The webservice can
not be stopped/restarted and the server will need to be rebooted to
regain functionality. The command will be executed with the privileges
of the web server, which, when dealing with IIS, usually means
LocalSystem Access.

The test was performed on a Windows NT 4.0 Server with SP 6a.

---------------------------=[Workaround]=-----------------------------
Pacific Software Publishing, Inc. has released version 1.3 to correct
the problem and introduce support for Windows 2000. You can download
it at http://www.carelloweb.com

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 3rd of April,
2001, and the vendor released a patch on the 12th of May.

Vendor also responded with:

"We are planning to release newer version of Carello in near future.
 Please subscribe newsletter from
 http://www.carelloweb.com/subscription.htm , we will be informing an
 update information."

======================================================================
            This release was brought to you by Defcom Labs

              labsat_private             www.defcom.com
======================================================================

Next message: Sylwester : "Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]"
Previous message: Santi Claus: "iPlanet Web Server 4.1 SP 4-7 Product Alert"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 01:22:55 PDT