lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 05 Apr 2005 11:21:22 +0200
From: Román Ramírez <rramirez@...sethesun.es>
To: bugtraq@...urityfocus.com
Subject: Logics Software BS2000 Host to Web Client ALL PLATFORMS



Logics Software Filetransfer from BS2000 Host to Web Client

* Release Date:
April 4, 2005

* Date noticed:
March 11, 2005

* Severity:
High (verified read access to any file and to-be-verified write access)

* Vendor:
Logics Sofware http://www.logics.de (http://www.logics.de/bs2000.htm)

* Systems Affected:
All BS2000 installed platforms both Microsoft WINDOWS and UNIX operating 
systems.

* Without authentication nor authorization it is possible to exploit 
"File Transfer from BS2000 Host to Web Client" just replacing the
  variables VAR_FT_*; VAR_FT_LANG manages the language that will be used 
for templates and VAR_FT_TMPL manages the template to be used.

Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with the 
file we want to read (i.e: winnt/win.ini) we have read acces
to the resource requested (most files in the filesystem).

For example, 
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.ini 
will give us the contents for
  c:\winnt\win.ini.

In UNIX systems you can test the vulnerability just with:
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd

We have not checked in deep the posibility of reading registry 
(c:\winnt\system32\config) nor SAM or other attack-relevant files, but 
we have confirmed ABSOLUTELY that in UNIX installations where the web 
server is running with privileged users (aka root or so) you can read 
files like /etc/shadow, /etc/master.passwd... so this vulnerability 
could escalate to something really dangerous depending on the specific 
system and what kind of webserver and webserver configuration they have.

Probably, anyone is able to UPLOAD files to the server as they will be 
managed by this tool, but we were not able to test it in our platform.


* Protection:
Check the way to lock the access to c:\ (/) resource from within this 
tool, but our recommendation is to directly remove access to the bs2000
ftp executables and tools (everything inside logwebcgi/ directory).

* Vendor Status:
Contacted but no response received.


* Credit:
Pedro Viñuales
Román Ramírez


* Related Links:
- http://www.chasethesun.es
- http://www.telefonicasoluciones.com

* Greetings:
Jarni, pci, v1rg1n17... all :)


{Copyright (c) 2001-2005 Chase The Sun / Telefónica Soluciones
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without
express consent of Chase The Sun and Telefónica Soluciones. If you wish 
to reprint the whole or any part of this alert in any other medium 
excluding electronic medium, please email rramirez at chasethesun dot es 
for permission.

Disclaimer
The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an
AS IS condition. There are no warranties, implied or express,
with regard to this information. In no event shall the author
be liable for any direct or indirect damages whatsoever
arising out of or in connection with the use or spread of
this information. Any use of this information is at the
user's own risk.}


Powered by blists - more mailing lists