Greymatter 1.21c and earlier - remote login/pass exposure

[security curmudgeon <jericho () attrition org>]

Software: Greymatter 1.21c and earlier
Vulnerability: Remote administrator login/password exposure
Vendor Status: Notified [0]

I originally saw this posted on Metafilter [1] and linked to a two line
description [2]. As with many other attacks, you can google for a specific
file and find vulnerable sites all over. I did a quick check and found 4
vulnerable out of the first 10 google reported back. Anyway, since I have
very limited experience with Greymatter (GM), and I have reported one
security bug to the author before, I typed up some more notes on the bug.
This will be fairly easy to catch using whisker/nikto if people use
default installs (which is common). At the time of this post, Nikto [3]
has been updated to look for the existance of Greymatter. The big sign of
GM being present is /cgi-bin/gm.cgi .. that is the greymatter login screen
and odds are GM is being run as root. Just getting the password will let
you post to the blogger, erase entries, upload files and more. However,
there are a lot of CGIs (listed below) associated with the package, many
could be vulnerable to the older attacks. 

In the past I notified the author of a bug related to the password being
stored in cleartext on the server, so that any local user could read it.
This was actually discovered looking at the access_log of apache. When
rebuilding the GM threads/pages, it will include the login name and
password in the HREF. A simple grep of "password" through access_logs, or
snooping through the GM install dirs will find the administrator login for
GM. This prompted me to look at the cause of the HREF, and lead me to note
that many of the GM files are mode 666 by default. The author acknowledged
the vulnerability and indicated he rarely (if ever) supports the package.
Many people are moving to Movable Type [4] which imports GM material and
is being actively maintained. Movable Type apparently worries about
security more as well. For those still using GM, there is user based
support/upgrades/patches available [5]. The Greymatter home page can be
found at http://noahgrey.com/greysoft/. 

About Greysoft from their page: 

Greymatter is the original—and still the world's most popular—opensource
weblogging and journal software.  With fully-integrated comments,
searching, file uploading and image handling, completely customisable
output through dozens of templates and variables, multiple author support,
and many other features, Greymatter remains the weblog/journal program of
choice for tens of thousands of people around the world. 

--

From the original post about the vulnerability [2]: 

How to hack greymatter driven sites

Just search for a file called "gmrightclick" in google and download a file
called "gmrightclick*.reg" where the stars represent a number. open it and
there you have it: Username and Password for everyone to use.

--

For those doing pen-testing or looking for the vuln, here are a few signs
of greymatter being used: 

* button "powered by greymatter", links to: http://noahgrey.com/greysoft/
* text that says "greymatter" 
* default blog string: Posted by <username> @ <time> [Link] [No Comments]
                     : Posted by <username> @ <time> [Link] [2 Comments]
* /cgi-bin/gm.cgi is present and offers login/pass

--

Here are the CGI's in greymatter install (w/ default perms):

-rw-rw-rw-   1 root     fs            304 Dec  8 04:17 gm-authors.cgi
-rw-rw-rw-   1 root     fs             23 Sep 21 23:00 gm-banlist.cgi
-rwxr-xr-x   1 root     fs          15571 Jan 12  2001 gm-comments.cgi*
-rw-rw-rw-   1 root     fs            409 Sep 22 01:50 gm-config.cgi
-rw-rw-rw-   1 root     fs             18 Dec  8 04:17 gm-counter.cgi
-rw-rw-rw-   1 root     fs          23873 Dec  8 04:17 gm-cplog.cgi
-rw-rw-rw-   1 root     fs            750 Dec  8 04:17 gm-entrylist.cgi
-rwxr-xr-x   1 root     fs          10211 Jan 12  2001 gm-karma.cgi*
-rw-rw-rw-   1 root     fs         157160 Feb 22  2001 gm-library.cgi
-rw-rw-rw-   1 root     fs          20353 Sep 22 03:15 gm-templates.cgi
-rwxr-xr-x   1 root     fs           9162 Jan 12  2001 gm-upload.cgi*
-rwxr-xr-x   1 root     fs         388772 Feb 22  2001 gm.cgi*

--

The path to "gmrightclick*" can vary widely. This is user defined but
often easy to find just by visiting the GM based blog/site. The default
directory is (I believe) /archive/. Others you may often see is
/archive/logs/ or /photo/archives/ depending on the GM usage. 

What prompts this vulnerability: 

If the administrator uses the "Add Bookmarklets" feature to add a
link/photo, it will add a new "gmrightclick*" file unless they have set
the "clear" function in their configuration. After adding a link, they
need to hit the "Clear And Exit" button at the bottom of the page. This
will remove all "gmrightclick*reg" files. 

Sites that customize their look/HTML will likely not have an open
/archive/ dir. Sites that use "Master Archive" option will not have a
browsable /archive/ directory. This will make it difficult to find the
file. 

'gmrightclick' filename examples:
gmrightclick-150003.reg
gmrightclick-215087.reg
gmrightclick-146133.reg
gmrightclick-558618.reg

I assume the number is pseudo random, or based off PID or something else
as an obscurity scheme. This WILL help for sites that customize or use
'master archive' feature, as it will not let the user enter the /archive/
dir and clearly see the .reg files. You could brute force find this
possibly but the gain is minimal. Further, the file can be deleted without
hurting functionality so it may not even be there despite brute forcing. 

GM is a unix package, but the 'bookmarklet' option is an Internet Explorer
feature. 

Contents of gmrightclick*reg (word wrapped for this post): 

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Post To &Greymatter]

@="javascript:doc=external.menuArguments.document;lt=escape(doc.selection.createRange().text); 
loglink=escape(doc.location.href);loglinktitle=escape(doc.title); 
wingm=window.open('http://some.site.here.edu/cgi-bin/greymatter/gm.cgi?jericho=gmbmpost&;
authorname=ADMINNAME&authorpassword=CLEARTEXTPASSWORD&logtext='+lt+'&loglink='+loglink+'&loglinktitle=
'+loglinktitle,'gmwindow','scrollbars=yes,width=660,height=460,left=75,
top=75,status=yes,resizable=yes');wingm.focus();""contexts"=hex:31


Notice the two fields: "authorname" and "authorpassword" above. With this
information, you can log in w/ full administrative rights to a GM site. 



References:

[0] http://foshdawg.net/forums/viewtopic.php?p=773#773
[1] http://www.metafilter.com/comments.mefi/15039
[2] http://www.dangerousmonkey.com/dangblog/dangarch/00000051.htm
[3] http://www.cirt.net/nikto/
[4] http://www.movabletype.org/
[5] http://foshdawg.net/forums/index.php