COMMAND
tradecli.dll
SYSTEMS AFFECTED
1C:Arcadia
PROBLEM
Following is based on a NERF Advisory #2.
1. Show path scripts directory
==============================
Exploit:
http://host/scripts/tradecli.dll?template=nonexistfile
Will show error message, witch consist full path to work dir
(usually /scripts). Advice for developers: print this messages
only to Event Log.
2. Read any file from drive
===========================
tradecli.dll - language interpriteter of 1C: Arcadia. It will
work up file, pointed in template, interpret tags, bigining with
underline sysmbol (example, <_include...>), all the rest read
without changes, put in ASCIIZ line and then print as result.
Path, pointed in variable template, will not work up for special
symbols, so you can get direcory up (..\) and the full path to
file, you may read file only from drive, where lies work
directory of tradecli.dll.
Exploit:
http://host/script/tradecli.dll?template=..\..\..\..\..\path\to\file
Reading of binary files will be embarrassing, because data after 0
symbol will'nt print. Advice for developers: check for existing
file, pointed in template. Advice for admins: limit perms for
tradecli.dll.
3. Crash ISAPI-applications (DoS)
=================================
Opening of files: com1, com2, etc. Windows NT application will
crash, that will crash all application (1C: Arcadia), consequently
site.
Exploit:
http://host/scripts/tradecli.dll?template=com1
http://host/scripts/tradecli.dll?template=com2
http://host/scripts/tradecli.dll?template=com3
http://host/scripts/tradecli.dll?template=con
http://host/scripts/tradecli.dll?template=prn
http://host/scripts/tradecli.dll?template=aux
Advice for developers: in Windows system befor openning file, you
have to check file for existing (FindOpen etc.) Advice for
admins: wait for next release.
SOLUTION
Nothing yet.