Logics Software Filetransfer from BS2000 Host to Web Client * Release Date: April 4, 2005 * Date noticed: March 11, 2005 * Severity: High (verified read access to any file and to-be-verified write access) * Vendor: Logics Sofware http://www.logics.de (http://www.logics.de/bs2000.htm) * Systems Affected: All BS2000 installed platforms both Microsoft WINDOWS and UNIX operating systems. * Without authentication nor authorization it is possible to exploit "File Transfer from BS2000 Host to Web Client" just replacing the variables VAR_FT_*; VAR_FT_LANG manages the language that will be used for templates and VAR_FT_TMPL manages the template to be used. Replacing VAR_FT_LANG with "c:\" (whatever) and VAR_FT_TMPL with the file we want to read (i.e: winnt/win.ini) we have read acces to the resource requested (most files in the filesystem). For example, http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=c:\&VAR_FT_TMPL=winnt/win.ini will give us the contents for c:\winnt\win.ini. In UNIX systems you can test the vulnerability just with: http://www.myserver.com/logwebcgi/logwebftbs2000.exe?VAR_FT_LANG=/etc&VAR_FT_TMPL=passwd We have not checked in deep the posibility of reading registry (c:\winnt\system32\config) nor SAM or other attack-relevant files, but we have confirmed ABSOLUTELY that in UNIX installations where the web server is running with privileged users (aka root or so) you can read files like /etc/shadow, /etc/master.passwd... so this vulnerability could escalate to something really dangerous depending on the specific system and what kind of webserver and webserver configuration they have. Probably, anyone is able to UPLOAD files to the server as they will be managed by this tool, but we were not able to test it in our platform. * Protection: Check the way to lock the access to c:\ (/) resource from within this tool, but our recommendation is to directly remove access to the bs2000 ftp executables and tools (everything inside logwebcgi/ directory). * Vendor Status: Contacted but no response received. * Credit: Pedro Viñuales Román Ramírez * Related Links: - http://www.chasethesun.es - http://www.telefonicasoluciones.com * Greetings: Jarni, pci, v1rg1n17... all :) {Copyright (c) 2001-2005 Chase The Sun / Telefónica Soluciones Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of Chase The Sun and Telefónica Soluciones. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email rramirez at chasethesun dot es for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.}