lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051130201624.8631.qmail@securityfocus.com>
Date: 30 Nov 2005 20:16:24 -0000
From: retrogod@...urityfocus.com, at@...urityfocus.com,
	aliceposta@...urityfocus.com, it@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: Re: Re: Xaraya <= 1.0.0 RC4 D.O.S / file corruption


it's not an inclusion bug, it is an fopen()/file corruption bug, this is the vulnerable code in xarMLSXML2PHPBackend.php:
...
   function create($ctxType, $ctxName)
    {
        assert('!empty($this->baseDir)');
        assert('!empty($this->baseXMLDir)');
        $this->fileName = $this->baseDir;
        $this->xmlFileName = $this->baseXMLDir;

        if (!ereg("^[a-z]+:$", $ctxType)) {
            list($prefix,$directory) = explode(':',$ctxType);
            if ($directory != "") {
                $this->fileName .= $directory . "/";
                $this->xmlFileName .= $directory . "/";
            }
        }

        $dirForMkDir = $this->fileName;
        if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777);

        $this->fileName .= $ctxName . ".php";
        $this->xmlFileName .= $ctxName . ".xml";

        $xmlFileExists = false;
        if (file_exists($this->xmlFileName)) {
            if (!($fp1 = fopen($this->xmlFileName, "r"))) {
                xarLogMessage("Could not open XML input: ".$this->xmlFileName);
            }
            $data = fread($fp1, filesize($this->xmlFileName));
            fclose($fp1);
            $xml_parser = xml_parser_create();
            xml_parse_into_struct($xml_parser, $data, $vals, $index);
            xml_parser_free($xml_parser);
            $xmlFileExists = true;
        } else {
            xarLogMessage("MLS Could not find XML input: ".$this->xmlFileName);
        }

        $fp2 = @fopen ($this->fileName, "w" );
        if ($fp2 !== false) {
            fputs($fp2, '<?php'."\n");
            fputs($fp2, 'global $xarML_PHPBackend_entries;'."\n");
            fputs($fp2, 'global $xarML_PHPBackend_keyEntries;'."\n");
            if ($xmlFileExists) {
                foreach ($vals as $node) {
                    if (!array_key_exists('tag',$node)) continue;
                    if (!array_key_exists('value',$node)) $node['value'] = '';
                    if ($node['tag'] == 'STRING') {
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        $start = '$xarML_PHPBackend_entries[\''.$node['value']."']";
                    } elseif ($node['tag'] == 'KEY') {
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        $start = '$xarML_PHPBackend_keyEntries[\''.$node['value']."']";
                    } elseif ($node['tag'] == 'TRANSLATION') {
                        if ($this->outCharset != 'utf-8') {
                            $node['value'] = $GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', $this->outCharset, 0);
                        }
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        if (!empty($node['value'])) {
                            fputs($fp2, $start . " = '".$node['value']."';\n");
                        }
                    }
                 }
            }
            fputs($fp2, "?>");
            fclose($fp2);
        } else {
            xarLogMessage("Could not create file: ".$this->fileName);
            global $xarML_PHPBackend_entries;
            global $xarML_PHPBackend_keyEntries;
            if ($xmlFileExists) {
                foreach ($vals as $node) {
                    if (!array_key_exists('tag',$node)) continue;
                    if (!array_key_exists('value',$node)) $node['value'] = '';
                    if ($node['tag'] == 'STRING') {
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        $entryIndex = $node['value'];
                        $entryType = 'string';
                    } elseif ($node['tag'] == 'KEY') {
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        $entryIndex = $node['value'];
                        $entryType = 'key';
                    } elseif ($node['tag'] == 'TRANSLATION') {
                        if ($this->outCharset != 'utf-8') {
                            $node['value'] = $GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', $this->outCharset, 0);
                        }
                        $node['value'] = str_replace('\'', '\\\'', $node['value']);
                        if ($entryType == 'string') {
                            $xarML_PHPBackend_entries[$entryIndex] = $node['value'];
                        } elseif ($entryType == 'key') {
                            $xarML_PHPBackend_keyEntries[$entryIndex] = $node['value'];
                        }
                    }
                 }
            }
        }

        return true;
    }
}
?>

however, this is  my proof of cocept exploit:

http://www.milw0rm.com/id.php?id=1345


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ