Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

def-2001-25: Carello E-Commerce Arbitrary Command Execution

From: Peter Gründl <peter.grundl () defcom com>
Date: Mon, 14 May 2001 13:13:24 +0200
======================================================================
                  Defcom Labs Advisory def-2001-25

           Carello E-Commerce Arbitrary Command Execution

Author: Peter Gründl <peter.grundl () defcom com>
Release Date: 2001-05-14
======================================================================
------------------------=[Brief Description]=-------------------------
A malicious user can execute arbitrary commands on the E-Commerce
server with the privileges of the web server.

------------------------=[Affected Systems]=--------------------------
- Carello E-Commerce V1.2.1 for Windows NT

----------------------=[Detailed Description]=------------------------
The Carello.dll utilizes full physical path to execute Carello scripts
instead of paths relative to the webroot. Some input validation has
been inserted in the program, but not to a sufficient degree, as can
be seen from the following example:

(The following URL has been wrapped for readability)

http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&;
VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt

The example will result in INETINFO.EXE spiking at 100% CPU and the
web server will no longer answer HTTP requests. The webservice can
not be stopped/restarted and the server will need to be rebooted to
regain functionality. The command will be executed with the privileges
of the web server, which, when dealing with IIS, usually means
LocalSystem Access.

The test was performed on a Windows NT 4.0 Server with SP 6a.

---------------------------=[Workaround]=-----------------------------
Pacific Software Publishing, Inc. has released version 1.3 to correct
the problem and introduce support for Windows 2000. You can download
it at http://www.carelloweb.com

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 3rd of April,
2001, and the vendor released a patch on the 12th of May.

Vendor also responded with:

"We are planning to release newer version of Carello in near future.
 Please subscribe newsletter from
 http://www.carelloweb.com/subscription.htm , we will be informing an
 update information."

======================================================================
            This release was brought to you by Defcom Labs

              labs () defcom com             www.defcom.com
======================================================================
Previous By Date Next
Previous By Thread Next

Current thread: