Drupal Local File Inclusion Vulnerability (Windows)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Drupal Local File Inclusion Vulnerability (Windows)
From: Bogdan Calin <bogdan@xxxxxxxxxxxx>
Date: Fri, 27 Feb 2009 11:17:07 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.19 (Windows/20081209)

Hi guys,

I was testing Acunetix WVS (with AcuSensor enabled) on Drupal
(http://www.drupal.org) and the scanner found a possible File Inclusion
vulnerability. The vulnerability is located in the file
"includes\theme.inc" on line 1011.

Vulnerable code:
function theme_render_template($template_file, $variables) {
  extract($variables, EXTR_SKIP);  // Extract the variables to a local
namespace
  ob_start();                      // Start output buffering
  include "./$template_file";      // Include the template file <<< here
is the vulnerability
  $contents = ob_get_contents();   // Get the contents of the buffer
  ob_end_clean();                  // End buffering and discard
  return $contents;                // Return the contents
}

Basically, by manipulating the q variable, it's possible to partially
control the include path.  The GET variable q was set to
"start/../../xxx\..\..\end" and it got partially sanitized.
It reached the include function as
"./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php".
All the slashes were replaced with "-".

Even more, we cannot fully control the include path, the user input is
automatically prefixed with "./themes/garland/page-".

So, this vulnerability doesn't look exploitable, right?
Actually, this is exploitable, but only on Windows systems.

On Unix systems, something like "cat
/var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work
because some_invalid_filename is not a directory.
It will not work even if you have a valid filename in there. In my
opinion this is the expected behavior.

However, on Windows things are differently.

Executing the command "type
c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the
contents of
c:\boot.ini even if sssssssssssss is not a directory and it doesn't even
exists as a filename.

PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to
use %00 to terminate the string.
Therefore, if you set q to something like
q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini%00 it's possible to
include the contents of boot.ini on Windows systems (if the web server
is installed on the C: partition).

A bit more information is available in our blog at
http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.

Drupal security team was notified about this vulnerability on 29 January
2009 and they've released a fix on 25 February 2009.

The fix for Drupal versions 5.x is available at
http://drupal.org/node/384024.
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.

Thanks and have a nice day,
-- 
Bogdan Calin - bogdan@xxxxxxxxxxxx
CTO
Acunetix Ltd. - http://www.acunetix.com
Acunetix Web Security Blog - http://www.acunetix.com/blog

Prev by Date: Re[2]: [DSECRG-09-009] APC PowerChute Network Shutdown's Web Interface - XSS vulnerability
Next by Date: Hex Workshop <= v6 (.hex) File Local Code
Previous by thread: VMSA-2009-0003 ESX 2.5.5 patch 12 updates service console package ed
Next by thread: Hex Workshop <= v6 (.hex) File Local Code
Index(es):
- Date
- Thread