logicsBS2000.txt

`  
Logics Software Filetransfer from BS2000 Host to Web Client  
  
* Release Date:  
April 4, 2005  
  
* Date noticed:  
March 11, 2005  
  
* Severity:  
High (verified read access to any file and to-be-verified write access)  
  
* Vendor:  
Logics Sofware http://www.logics.de (http://www.logics.de/bs2000.htm)  
  
* Systems Affected:  
All BS2000 installed platforms both Microsoft WINDOWS and UNIX operating   
systems.  
  
* Without authentication nor authorization it is possible to exploit   
"File Transfer from BS2000 Host to Web Client" just replacing the  
variables VAR_FT_*; VAR_FT_LANG manages the language that will be used   
for templates and VAR_FT_TMPL manages the template to be used.  
  
Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with the   
file we want to read (i.e: winnt/win.ini) we have read acces  
to the resource requested (most files in the filesystem).  
  
For example,   
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.ini   
will give us the contents for  
c:\winnt\win.ini.  
  
In UNIX systems you can test the vulnerability just with:  
http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd  
  
We have not checked in deep the posibility of reading registry   
(c:\winnt\system32\config) nor SAM or other attack-relevant files, but   
we have confirmed ABSOLUTELY that in UNIX installations where the web   
server is running with privileged users (aka root or so) you can read   
files like /etc/shadow, /etc/master.passwd... so this vulnerability   
could escalate to something really dangerous depending on the specific   
system and what kind of webserver and webserver configuration they have.  
  
Probably, anyone is able to UPLOAD files to the server as they will be   
managed by this tool, but we were not able to test it in our platform.  
  
  
* Protection:  
Check the way to lock the access to c:\ (/) resource from within this   
tool, but our recommendation is to directly remove access to the bs2000  
ftp executables and tools (everything inside logwebcgi/ directory).  
  
* Vendor Status:  
Contacted but no response received.  
  
  
* Credit:  
Pedro Viñuales  
Román Ramírez  
  
  
* Related Links:  
- http://www.chasethesun.es  
- http://www.telefonicasoluciones.com  
  
* Greetings:  
Jarni, pci, v1rg1n17... all :)  
  
  
{Copyright (c) 2001-2005 Chase The Sun / Telefónica Soluciones  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without  
express consent of Chase The Sun and Telefónica Soluciones. If you wish   
to reprint the whole or any part of this alert in any other medium   
excluding electronic medium, please email rramirez at chasethesun dot es   
for permission.  
  
Disclaimer  
The information within this paper may change without notice.  
Use of this information constitutes acceptance for use in an  
AS IS condition. There are no warranties, implied or express,  
with regard to this information. In no event shall the author  
be liable for any direct or indirect damages whatsoever  
arising out of or in connection with the use or spread of  
this information. Any use of this information is at the  
user's own risk.}  
`