COMMAND

	Carello Remote File Execution

SYSTEMS AFFECTED

	Carello 1.3

PROBLEM

	Matt Moore [matt@westpoint.ltd.uk] found :
	

	Carello uses hidden form fields to specify the names of  executables  on
	the server which  are  to  handle  POSTed  form  data.  This  allows  an
	attacker to manipulate the HTML to specify arbitrary executables,  which
	the Carello server software  will  then  run.  For  example,  a  typical
	section of an HTML page created by Carello looks  like  (angle  brackets
	omitted):
	

	form method="POST" action= "http://server/scripts/Carello/Carello.dll"

	input type="hidden" name="CARELLOCODE" value="WESTPOINT"

	input type="hidden" name="VBEXE" value= "c:\inetpub\..carello-exe-file"

	input type=....etc etc

	

	Hence, by specifying a value like
	

	' c:\..\..\..\..\..\..\..\.\winnt\notepad.exe '

	

	an attacker can execute arbitrary files.
	

	Westpoint would like  to  thank  Peter  Grundl  of  KPMG  for  providing
	additional information on this vulnerability:
	

	 Exploitable via GET requests

	 -----------------------------

	

	The vulnerability can be exploited  by  making  a  GET  request  to  the
	vulnerable .dll and specifying the 'VBEXE' as a parameter.
	

	 Passing parameters to the invoked executable

	 ----------------------------------------------

	

	It is possible to pass parameters to the executables invoked using  this
	vulnerability.
	

	For example:
	

	/scripts/Carello/Carello.dll?VBEXE=c:\.\winnt\system32\cmd.exe%20/c%20dir>c:\dir.txt

	

	Carello attempts to verify that the  VBEXE  file  specified  is  not  in
	%systemroot% - prepending \.\ to the path circumvents this restriction.

SOLUTION

	The vendor indicated that the vulnerability will be fixed  in  the  next
	version of Carello.
	

	This advisory is available online at:
	

	http://www.westpoint.ltd.uk/advisories/wp-02-0012.txt