[VulnWatch] wp-02-0012: Carello 1.3 Remote File Execution (Updated 1/10/2002)

From: Matt Moore (matt@westpoint.ltd.uk)
Date: 10/02/02


Date: Wed, 02 Oct 2002 17:10:21 +0100
From: Matt Moore <matt@westpoint.ltd.uk>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org

Westpoint Security Advisory

Title: Carello 1.3 Remote File Execution
Risk Rating: High
Software: Carello Shopping Cart
Platforms: Win2k, WinNT
Vendor URL: www.carelloweb.com
Author: Matt Moore <matt@westpoint.ltd.uk>
Date: 10th July 2002
Advisory ID#: wp-02-0012
Revision: Updated 22/02/2002 (see addendum)

Overview:
=========

Carello 1.3 is a web based shopping cart solution, which uses hidden
HTML form
fields to specify executables to handle POSTed form data.

Details:
========

Remote File Execution
---------------------

Carello uses hidden form fields to specify the names of executables on
the server which
are to handle POSTed form data. This allows an attacker to manipulate
the HTML to
specify arbitrary executables, which the Carello server software will
then run. For
example, a typical section of an HTML page created by Carello looks like
(angle brackets
omitted):

form method="POST" action= "http://server/scripts/Carello/Carello.dll"
input type="hidden" name="CARELLOCODE" value="WESTPOINT"
input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"
input type=....etc etc

Hence, by specifying a value like '
c:\..\..\..\..\..\..\..\.\winnt\notepad.exe '
an attacker can execute arbitrary files.

Vendor response:
================
The vendor indicated that the vulnerability will be fixed in the next
version
of Carello. When asked for an expected release date, they replied that:

'Unfortunately, we do not have a plan to upgrade the program so far. But
I put
your indication on our program modification request list.'

This advisory is available online at:

http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt

Addendum:
=========
22/02/2002 - New information.

Westpoint would like to thank Peter Grundl of KPMG for providing additional
information on this vulnerability:

Exploitable via GET requests
-----------------------------
The vulnerability can be exploited by making a GET request to the
vulnerable .dll
and specifying the 'VBEXE' as a parameter.

Passing parameters to the invoked executable
----------------------------------------------
It is possible to pass parameters to the executables invoked using this
vulnerability.

For example:

/scripts/Carello/Carello.dll?VBEXE=
c:\.\winnt\system32\cmd.exe%20/c%20dir >c:\dir.txt

Carello attempts to verify that the VBEXE file specified is not in
%systemroot% - prepending
\.\ to the path circumvents this restriction.



Relevant Pages

  • [UNIX] Carello Remote File Execution
    ... Carello is a web based shopping cart ... Carello uses hidden form fields to specify the names of executables on the ... server that are to handle POSTed form data. ... which lessens the severity of this vulnerability. ...
    (Securiteam)
  • wp-02-0012: Carello 1.3 Remote File Execution (Updated 1/10/2002)
    ... Software: Carello Shopping Cart ... Carello uses hidden form fields to specify the names of executables on ... The vendor indicated that the vulnerability will be fixed in the next ...
    (Bugtraq)
  • wp-02-0012: Carello 1.3 Remote File Execution
    ... Software: Carello Shopping Cart ... Vendor URL: www.carelloweb.com ... fields to specify executables to handle POSTed form data. ... Carello uses hidden form fields to specify the names of executables on ...
    (Bugtraq)
  • [VulnWatch] wp-02-0012: Carello 1.3 Remote File Execution
    ... Software: Carello Shopping Cart ... Vendor URL: www.carelloweb.com ... fields to specify executables to handle POSTed form data. ... Carello uses hidden form fields to specify the names of executables on ...
    (VulnWatch)