Carello Shopping Cart Lets Remote Users Execute Arbitrary Commands on the Commerce Server
|
Date: May 14 2001 13:48 (UTC/GMT)
|
Impact: Denial of service via network, Execution of arbitrary code via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Defcom Labs
|
Version(s): V1.2.1 for Windows NT
|
Description: Defcom Labs issued a vulnerability advisory for the Carello shopping cart, warning that a remote user can execute arbitrary commands on the server with the privileges of the web server.
Defcom reports that the Carello.dll uses full physical path to execute Carello scripts instead of paths relative to the webroot directory.
The program performs insufficient input validation in processing user-supplied paths.
A demonstration exploit URL (shown below)
will cause INETINFO.EXE to spike at 100% CPU utilization and the web server will no longer respond to HTTP requests. The webservice
cannot be stopped or restarted. The host must be rebooted to regain functionality.
(The following URL has been wrapped for
readability)
http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&
VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt
The
command will reportedly be executed with the privileges of the web server. For IIS, this is usually LocalSystem Access.
Defcom
indicates that their vulnerability testing was performed on a Windows NT 4.0 Server with SP 6a.
|
Impact: A remote user can execute arbitrary commands on the server with the privileges of the web server. The remote user can also cause the server to crash, requiring a reboot to continue functioning.
|
Solution: The vendor has released version 1.3 to correct the problem.
|
Vendor URL: www.carelloweb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (NT)
|
Reported By: Peter Gr ndl <peter.grundl@defcom.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 14 May 2001 11:32:43 +0200
From: Peter Gr ndl <peter.grundl@defcom.com>
Subject: def-2001-25: Carello E-Commerce Arbitrary Command Execution
|
This is a multi-part message in MIME format.
------=_NextPart_000_02AA_01C0DC69.975D8820
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
======================================================================
Defcom Labs Advisory def-2001-25
Carello E-Commerce Arbitrary Command Execution
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-05-14
======================================================================
------------------------=[Brief Description]=-------------------------
A malicious user can execute arbitrary commands on the E-Commerce
server with the privileges of the web server.
------------------------=[Affected Systems]=--------------------------
- Carello E-Commerce V1.2.1 for Windows NT
----------------------=[Detailed Description]=------------------------
The Carello.dll utilizes full physical path to execute Carello scripts
instead of paths relative to the webroot. Some input validation has
been inserted in the program, but not to a sufficient degree, as can
be seen from the following example:
(The following URL has been wrapped for readability)
http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2&
VBEXE=C:\..\winnt\system32\cmd.exe%20/c%20echo%20test>c:\defcom.txt
The example will result in INETINFO.EXE spiking at 100% CPU and the
web server will no longer answer HTTP requests. The webservice can
not be stopped/restarted and the server will need to be rebooted to
regain functionality. The command will be executed with the privileges
of the web server, which, when dealing with IIS, usually means
LocalSystem Access.
The test was performed on a Windows NT 4.0 Server with SP 6a.
---------------------------=[Workaround]=-----------------------------
Pacific Software Publishing, Inc. has released version 1.3 to correct
the problem and introduce support for Windows 2000. You can download
it at http://www.carelloweb.com
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 3rd of April,
2001, and the vendor released a patch on the 12th of May.
Vendor also responded with:
"We are planning to release newer version of Carello in near future.
Please subscribe newsletter from
http://www.carelloweb.com/subscription.htm , we will be informing an
update information."
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
------=_NextPart_000_02AA_01C0DC69.975D8820
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4522.1800" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial
size=2>======================================================================<BR> &
nbsp; &n
bsp;
Defcom Labs Advisory def-2001-25</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2> &
nbsp; Carello
E-Commerce Arbitrary Command Execution</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Author: Peter Gründl <<A
href="mailto:peter.grundl@defcom.com">peter.grundl@defcom.com</A>><BR>
Release
Date:
2001-05-14<BR>======================================================================<BR>-
-----------------------=[Brief
Description]=-------------------------<BR>A malicious user can execute arbitrary
commands on the E-Commerce<BR>server with the privileges of the web
server.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>------------------------=[Affected
Systems]=--------------------------<BR>- Carello E-Commerce V1.2.1 for Windows
NT</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>----------------------=[Detailed
Description]=------------------------<BR>The Carello.dll utilizes full physical
path to execute Carello scripts<BR>instead of paths relative to the webroot.
Some input validation has<BR>been inserted in the program, but not to a
sufficient degree, as can<BR>be seen from the following example:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>(The following URL has been wrapped for
readability)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://foo.org/scripts/Carello/Carello.dll?CARELLOCODE=SITE2">http://foo.org/scrip
ts/Carello/Carello.dll?CARELLOCODE=SITE2</A>&<BR>VBEXE=C:\..\winnt\system32\cmd.e
xe%20/c%20echo%20test>c:\defcom.txt</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>The example will result in INETINFO.EXE spiking at
100% CPU and the<BR>web server will no longer answer HTTP requests. The
webservice can<BR>not be stopped/restarted and the server will need to be
rebooted to<BR>regain functionality. The command will be executed with the
privileges<BR>of the web server, which, when dealing with IIS, usually
means<BR>LocalSystem Access.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>The test was performed on a Windows NT 4.0 Server
with SP 6a.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2>---------------------------=[Workaround]=-----------------------------<BR>Pacific
Software Publishing, Inc. has released version 1.3 to correct<BR>the problem and
introduce support for Windows 2000. You can download<BR>it at <A
href="http://www.carelloweb.com">http://www.carelloweb.com</A></FONT></DI
V>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>-------------------------=[Vendor
Response]=--------------------------<BR>This issue was brought to the vendor's
attention on the 3rd of April,<BR>2001, and the vendor released a patch on the
12th of May.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>Vendor also responded with:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>"We are planning to release newer version of
Carello in near future. <BR> Please subscribe newsletter from <BR> <
A
href="http://www.carelloweb.com/subscription.htm">http://www.carelloweb.com/subscription
.htm</A>
, we will be informing an<BR> update
information."<BR> <BR>=====================================================
=================<BR> &
nbsp;
This release was brought to you by Defcom Labs</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial
size=2> &
nbsp;
<A
href="mailto:labs@defcom.com">labs@defcom.com</A> &
nbsp;
<A
href="http://www.defcom.com">www.defcom.com</A> &
nbsp;
<BR>======================================================================</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2><BR></FONT> </DIV></BODY><
/HTML>
------=_NextPart_000_02AA_01C0DC69.975D8820--
|
|
