Disputed / BOGUS

Mybb All Versions Remote Command Execution

Published / (Updated)
Credit
Risk
2012-10-05 / 2012-10-06
Nafsh
High
CWE
CVE
Local
Remote
N/A
N/A
No
Yes

#########################################################
Exploit Title : Mybb All Versions Remote Command Execution
Author : Nafsh
Discovered By : Tapco Security & Research Lab
Date : 3 Oct 2012
Home : http://Sec-Lab.Tap-Co.Net
Contact : Nafsh.Hack@Gmail.com
#########################################################
Source : http://www.mybb.com/download/latest

file : /inc/3rdparty/diff/Diff/Engine/shell.php

Source Of Bug :
$fp = fopen($to_file, 'w');
fwrite($fp, implode("\n", $to_lines));
fclose($fp);
$diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);
unlink($from_file);
unlink($to_file);
#########################################################
vulnerability concept:

$_GET + shell_exec() = Command Execution

vulnerability description:

An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise.

vulnerable example code :
1: exec("./crypto -mode " . $_GET["mode"]);

proof of concept :

/index.php?mode=1;sleep 10;

patch:

Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.

1: $modes = array("r", "w", "a"); if(!in_array($_GET["mode"], $modes)) exit ;
r
#########################################################
D3m0 :

http://www.mXXworkers.com/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE

http://www.artistXXXerse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE
#########################################################
We are : K0242 | Nafsh | Ehram.shahmohamadi
#########################################################
Tnx : Am!r | M.R.S.CO All Members In Www.IrIsT.Ir & Www.IdC-TeAm.NeT
#########################################################
Greetz : All sec-lab researchers

References:

http://Sec-Lab.Tap-Co.Net
http://www.mybb.com/download/latest


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com