Zeroboard File Upload & extension bypass Vulnerability
Author : Choi Min-sung (mins at wins21.com)
Product : Zeroboard http://www.nzeo.com
Verndor-Patches : Unpatched
Impact : remote code execution
Basically, the PHP, HTML, and CGI files are prohibited to upload in Zeroboard. But uploading of the
other files which can
modify the configuration of Apache such as .htaccess is not considered as a serious issue. Therefore,
an unknown attacker can
execute any malicious codes on the system and acquire system control also.
Apache.
Zeroboard basically prohibits uploading execution scripts such as php, html, cgi, and asp.
// Upload prohibited
if($file1_size>0) {
$s_file_name1=$file1_name;
if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)
||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi
("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)
||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files
cannot be uploaded.");
: But the above codes cannot block the upload of files such as .htaccess and etc.
AddType application/x-httpd-php .php .php3 .php4 .htm .html .txt
<? phpinfo(); ?>
$ lynx --dump http://hackme/zb41pl7/bbs/data/test/test.txt
Below is an informal patch that I made.
Vendor Proceed -> Unpatched
— write_ok.php.org 2005-09-01 19:22:17.000000000 +0900
+++ write_ok.php 2005-09-01 19:22:27.000000000 +0900
@@ -208,7 +208,7 @@
if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)
||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)
||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files
cannot be uploaded.");
if(preg_match("/^\./",$s_file_name1)||eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi
("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi
("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1))
Error("The
HTML and PHP related files cannot be uploaded.");
//Check extension
if($setup[pds_ext1]) {
01/09/2005 Initial vendor notification. I made Temporary Patch.
02/09/2005 Vendor confirms vulnerability.
15/03/2006 Released Patch 4.1pl8 (NOT PATCHED THIS VULNERABILITY)
12/06/2006 Vulnerability reported to KISA (Korea Infomation Security Agency) KRCert
12/06/2006 Final Vendor Contact.
12/06/2006 Secunia notified of this vulnerability.
16/06/2006 Public disclosure.
Discovered by Choi Min-sung, WINSTechnet CERT
http://securecast.wins21.com/zerovul.html
http://securecast.wins21.com/offer/offer_database_view.asp?code=WE06-0391