Logics Software BS2000 Host to Web Client ALL PLATFORMS
Logics Software Filetransfer from BS2000 Host to Web Client
* Release Date:
April 4, 2005
* Date noticed:
March 11, 2005
* Severity:
High (verified read access to any file and to-be-verified write access)
* Vendor:
Logics Sofware http://www.logics.de (http://www.logics.de/bs2000.htm)
* Systems Affected:
All BS2000 installed platforms both Microsoft WINDOWS and UNIX operating
systems.
* Without authentication nor authorization it is possible to exploit
"File Transfer from BS2000 Host to Web Client" just replacing the
variables VAR_FT_*; VAR_FT_LANG manages the language that will be used
for templates and VAR_FT_TMPL manages the template to be used.
Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with the
file we want to read (i.e: winnt/win.ini) we have read acces
to the resource requested (most files in the filesystem).
For example,
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.ini
will give us the contents for
c:\winnt\win.ini.
In UNIX systems you can test the vulnerability just with:
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd
We have not checked in deep the posibility of reading registry
(c:\winnt\system32\config) nor SAM or other attack-relevant files, but
we have confirmed ABSOLUTELY that in UNIX installations where the web
server is running with privileged users (aka root or so) you can read
files like /etc/shadow, /etc/master.passwd... so this vulnerability
could escalate to something really dangerous depending on the specific
system and what kind of webserver and webserver configuration they have.
Probably, anyone is able to UPLOAD files to the server as they will be
managed by this tool, but we were not able to test it in our platform.
* Protection:
Check the way to lock the access to c:\ (/) resource from within this
tool, but our recommendation is to directly remove access to the bs2000
ftp executables and tools (everything inside logwebcgi/ directory).
* Vendor Status:
Contacted but no response received.
* Credit:
Pedro Viñuales
Román Ramírez
* Related Links:
- http://www.chasethesun.es
- http://www.telefonicasoluciones.com
* Greetings:
Jarni, pci, v1rg1n17... all :)
{Copyright (c) 2001-2005 Chase The Sun / Telefónica Soluciones
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without
express consent of Chase The Sun and Telefónica Soluciones. If you wish
to reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email rramirez at chasethesun dot es
for permission.
Disclaimer
The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an
AS IS condition. There are no warranties, implied or express,
with regard to this information. In no event shall the author
be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of
this information. Any use of this information is at the
user's own risk.}