From peter.grundl@defcom.com Tue May 15 16:09:08 2001 From: "[iso-8859-1] Peter Gründl" To: bugtraq@securityfocus.com Date: Mon, 14 May 2001 13:13:24 +0200 Subject: def-2001-25: Carello E-Commerce Arbitrary Command Execution [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-25 Carello E-Commerce Arbitrary Command Execution Author: Peter Gründl Release Date: 2001-05-14 ====================================================================== ------------------------=[Brief Description]=------------------------- A malicious user can execute arbitrary commands on the E-Commerce server with the privileges of the web server. ------------------------=[Affected Systems]=-------------------------- - Carello E-Commerce V1.2.1 for Windows NT ----------------------=[Detailed Description]=------------------------ The Carello.dll utilizes full physical path to execute Carello scripts instead of paths relative to the webroot. Some input validation has been inserted in the program, but not to a sufficient degree, as can be seen from the following example: (The following URL has been wrapped for readability) http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2& VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt The example will result in INETINFO.EXE spiking at 100% CPU and the web server will no longer answer HTTP requests. The webservice can not be stopped/restarted and the server will need to be rebooted to regain functionality. The command will be executed with the privileges of the web server, which, when dealing with IIS, usually means LocalSystem Access. The test was performed on a Windows NT 4.0 Server with SP 6a. ---------------------------=[Workaround]=----------------------------- Pacific Software Publishing, Inc. has released version 1.3 to correct the problem and introduce support for Windows 2000. You can download it at http://www.carelloweb.com -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 3rd of April, 2001, and the vendor released a patch on the 12th of May. Vendor also responded with: "We are planning to release newer version of Carello in near future. Please subscribe newsletter from http://www.carelloweb.com/subscription.htm , we will be informing an update information." ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================