lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201211011950.qA1JotEb013530@sf01web2.securityfocus.com>
Date: Thu, 1 Nov 2012 19:50:55 GMT
From: n0b0d13s@...il.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2012-5692] Invision Power Board <= 3.3.4 "unserialize()" PHP
 Code Execution Vulnerability

------------------------------------------------------------------------------
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution Vulnerability
------------------------------------------------------------------------------

author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: http://www.invisionpower.com/


[-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php

4015.        static public function get($name)
4016.        {
4017.            // Check internal data first
4018.            if ( isset( self::$_cookiesSet[ $name ] ) )
4019.            {
4020.                return self::$_cookiesSet[ $name ];
4021.            }
4022.            else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
4023.            {
4024.                $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
4025.    
4026.                if ( substr( $_value, 0, 2 ) == 'a:' )
4027.                {
4028.                    return unserialize( stripslashes( urldecode( $_value ) ) );
4029.                }

The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
sanitization. The only one check is done at line 4026,  where is controlled that the serialized string starts
with 'a:',  but this is not  sufficient to prevent a  "PHP Object Injection"  because an attacker may send  a
serialized string which represents an array of objects.  This can be  exploited to execute arbitrary PHP code
via the  "__destruct()" method of the  "dbMain" class,  which calls the "writeDebugLog" method to write debug
info into a file.  PHP code may  be injected  only through the  $_SERVER['QUERY_STRING']  variable,  for this
reason successful exploitation of this vulnerability requires short_open_tag to be enabled.


[-] Disclosure timeline:

[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure


[-] Proof of concept:

http://www.exploit-db.com/exploits/22398

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ