Carello VBEXE Form Field Arbitrary Command Execution

2002-07-10T00:00:00
ID OSVDB:6592
Type osvdb
Reporter Matt Moore(matt@westpoint.ltd.uk)
Modified 2002-07-10T00:00:00

Description

Vulnerability Description

Carello contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a specially crafted HTTP request is sent which replaces some hidden form elements. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Carello contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when a specially crafted HTTP request is sent which replaces some hidden form elements. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.

Manual Testing Notes

For example, a typical section of an HTML page created by Carello looks like (angle brackets omitted):

form method="POST" action= "http://[victim]/scripts/Carello/Carello.dll" input type="hidden" name="CARELLOCODE" value="WESTPOINT" input type="hidden" name="VBEXE" value= "c:\inetpub..carello-exe-file" input type=....etc etc

Carello.dll only appears to check that the string "inetpub" is in the requested path.

Hence, specifying a value like "c:\inetpub..........\winnt\notepad.exe" bypasses this check, allowing arbitrary files to be executed.

References:

Other Advisory URL: http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt Mail List Post: http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0015.html Keyword: wp-02-0012 ISS X-Force ID: 9521 CVE-2002-0683 Bugtraq ID: 5192