CruiseWorks Directory Traversal and Buffer Overflow Vulnerabilities
24 Oct. 2006
Summary
Two vulnerabilities have been found in CruiseWorks. When exploited, the vulnerabilities allow an authenticated user to retrieve arbitrary files accessible to the web server process and to execute arbitrary code with privileges of the IIS IUSR_MACHINE account.
Vulnerable Systems:
* CruiseWorks Groupware version 1.09c
* CruiseWorks Groupware version 1.09d
Immune Systems:
* CruiseWorks Groupware version 1.09e
This advisory discloses two vulnerabilities in CruiseWorks Groupware. 1) CruiseWorks cws.exe "doc" Parameter Directory Traversal
CruiseWorks does not properly validate the "doc" parameter in "/scripts/cruise/cws.exe" before using it to retrieve files for display. This allows a malicious user to disclose the content of arbitrary files accessible to the web server process using directory traversal characters.
2) CruiseWorks cws.exe "doc" Parameter Buffer Overflow
CruiseWorks does not properly validate the "doc" parameter in "/scripts/cruise/cws.exe" before using it to construct a path using the "sprintf()" function. This allows a malicious user to cause a stack-based buffer overflow and to execute code with privileges of the IIS IUSR_MACHINE account.
Testing Notes:
The buffer overflow vulnerability exists in cws.exe which is executed by IIS or other webserver as an external CGI process when a HTTP request is received. By supplying an overly long value to the "doc" parameter, cws.exe will crash.
However, it is trickly to observe the buffer overflow since cws.exe will crash silently without activating the "Just In Time Debugger", and there is no time to manually attach Ollydbg to the cws.exe process before it crashes. For more information on how to observe and test the buffer overflow, see this page.
POC Exploit:
The following POC will exploit the vulnerability to create files in the "\windows\temp\" or "\winnt\temp\" directory. It has been tested to work on English WinXP SP2 and Japanese Win2K SP4.
NOTE: The shellcode will also sound the speaker continuously.
Copy-and-paste this entire request to the browser addressbar after you logon to CruiseWorks. Remember to change the IP address
Example Exploit 1 (requires logon):
Note: Exploit 1 uses address of JMP ESI in ntdll.dll to return into the shellcode.
Example Exploit 2 (requires logon):
Note: Exploit 2 uses address of CALL ESI in cws.exe to return into the shellcode. It should work on WinXP SP2 systems regardless of language.
Disclosure Timeline:
2006-07-19 - Vulnerability Discovered.
2006-07-20 - Initial Vendor Notification by Email (no reply).
2006-07-21 - Second Vendor Notification by Email (no reply).
2006-07-25 - Third Vendor Notification by Web Form (no reply).
2006-07-26 - Fourth Vendor Notification by Email (no reply).
2006-07-31 - Vulnerability reported to JPCERT/CC.
2006-08-14 - Additional information with updated POC exploit sent to JPCERT/CC.
2006-10-24 - Coordinated Public Disclosure.
