Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web5729.htm

Carello Remote File Execution
3rd Oct 2002 [SBWID-5729]

	Carello Remote File Execution


	Carello 1.3


	Matt Moore [] found :

	Carello uses hidden form fields to specify the names of  executables  on
	the server which  are  to  handle  POSTed  form  data.  This  allows  an
	attacker to manipulate the HTML to specify arbitrary executables,  which
	the Carello server software  will  then  run.  For  example,  a  typical
	section of an HTML page created by Carello looks  like  (angle  brackets

	form method="POST" action= "http://server/scripts/Carello/Carello.dll"

	input type="hidden" name="CARELLOCODE" value="WESTPOINT"

	input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"

	input type=....etc etc


	Hence, by specifying a value like

	' c:\..\..\..\..\..\..\..\.\winnt\notepad.exe '


	an attacker can execute arbitrary files.

	Westpoint would like  to  thank  Peter  Grundl  of  KPMG  for  providing
	additional information on this vulnerability:

	 Exploitable via GET requests



	The vulnerability can be exploited  by  making  a  GET  request  to  the
	vulnerable .dll and specifying the 'VBEXE' as a parameter.

	 Passing parameters to the invoked executable



	It is possible to pass parameters to the executables invoked using  this

	For example:



	Carello attempts to verify that the  VBEXE  file  specified  is  not  in
	%systemroot% - prepending \.\ to the path circumvents this restriction.


	The vendor indicated that the vulnerability will be fixed  in  the  next
	version of Carello.

	This advisory is available online at:


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH