Logics Software BS2000 Host to Web Client ALL PLATFORMS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Logics Software BS2000 Host to Web Client ALL PLATFORMS
From: Román Ramírez <rramirez@xxxxxxxxxxxxxx>
Date: Tue, 05 Apr 2005 11:21:22 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20050111


Logics Software Filetransfer from BS2000 Host to Web Client

* Release Date:
April 4, 2005

* Date noticed:
March 11, 2005

* Severity:
High (verified read access to any file and to-be-verified write access)

* Vendor:
Logics Sofware http://www.logics.de (http://www.logics.de/bs2000.htm)

* Systems Affected:

All BS2000 installed platforms both Microsoft WINDOWS and UNIX operatingsystems.

* Without authentication nor authorization it is possible to exploit"File Transfer from BS2000 Host to Web Client" just replacing thevariables VAR_FT_*; VAR_FT_LANG manages the language that will be usedfor templates and VAR_FT_TMPL manages the template to be used.

Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with thefile we want to read (i.e: winnt/win.ini) we have read acces

to the resource requested (most files in the filesystem).

For example,http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.iniwill give us the contents for

 c:\winnt\win.ini.

In UNIX systems you can test the vulnerability just with:
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd

We have not checked in deep the posibility of reading registry(c:\winnt\system32\config) nor SAM or other attack-relevant files, butwe have confirmed ABSOLUTELY that in UNIX installations where the webserver is running with privileged users (aka root or so) you can readfiles like /etc/shadow, /etc/master.passwd... so this vulnerabilitycould escalate to something really dangerous depending on the specificsystem and what kind of webserver and webserver configuration they have.

Probably, anyone is able to UPLOAD files to the server as they will bemanaged by this tool, but we were not able to test it in our platform.



* Protection:

Check the way to lock the access to c:\ (/) resource from within thistool, but our recommendation is to directly remove access to the bs2000

ftp executables and tools (everything inside logwebcgi/ directory).

* Vendor Status:
Contacted but no response received.


* Credit:
Pedro Viñuales
Román Ramírez


* Related Links:
- http://www.chasethesun.es
- http://www.telefonicasoluciones.com

* Greetings:
Jarni, pci, v1rg1n17... all :)


{Copyright (c) 2001-2005 Chase The Sun / Telefónica Soluciones
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without

express consent of Chase The Sun and Telefónica Soluciones. If you wishto reprint the whole or any part of this alert in any other mediumexcluding electronic medium, please email rramirez at chasethesun dot esfor permission.


Disclaimer
The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an
AS IS condition. There are no warranties, implied or express,
with regard to this information. In no event shall the author
be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of
this information. Any use of this information is at the
user's own risk.}

Prev by Date: SQL INJECTION in LinksLinks Pro. PHPBB Mod.
Next by Date: [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3
Previous by thread: SQL INJECTION in LinksLinks Pro. PHPBB Mod.
Next by thread: [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3
Index(es):
- Date
- Thread