| Topic Archived |
View previous topic :: View next topic |
| Author |
Message |
Jeruvy
Security Team
 Offline
Joined: Apr 23, 2004
Posts: 1432
Location: Canada
|
 Posted: Thu Feb 09, 2006 7:07 pm
Post subject: [Fixed] DragonflyCMS 9.0.6.1 Security Fixes |
|
CPGNuke Dragonfly 9.0.6.1 remote commands execution through arbitrary local inclusion
Posted February 9th, 2006 @ 0212am by rgod @ autistici.org
There are two ways to inject arbitrary code in dragonfly resources:
i) in cpg_error.log, poc:
this works with $error_log = true in error.php (not the default)
some problems with spaces, converted as %20 so this way works with
allow_short_open_tag = On in php.ini
ii) uploading a malicious .png file in modules/coppermine/albums/userpics/
dir. We will search for a php[some hex values].tmp file, you have to supply
valid credentials with upload rights to do that...by default, any user can
upload
however you can try manually including some database file or Apache log... use
your imagination
POC's removed
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}
|
|
| Back to top |
|
 |
tuta
Supporter
Offline
Joined: Jun 29, 2004
Posts: 465
Location: Houston
|
Posted: Thu Feb 09, 2006 7:29 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
I am not a security expert, but it seems like this is completely dependant upon the user not following install.txt step #8
| Quote:: |
| #8 --- After installing, delete install.php and the /install directory! |
_________________
SEARCH the WIKI
How to Port for Dragonfly
tuta's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/Apache/MySQL 4.1.22/PHP 4.4.6/9.1.2.1
|
|
| Back to top |
|
|
Jordo
Newbie
Offline
Joined: Jan 31, 2005
Posts: 27
|
Posted: Thu Feb 09, 2006 7:49 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
It looks like it tries 3 different things. The first 2 require install.php and the error log enabled.
If those fail, then it tries a Coppermine exploit.
_________________
Jordo
www.jordomedia.com
Jordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.0.22/4.3.10/9.0.3
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Thu Feb 09, 2006 9:01 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
install.php
| Code:: |
if (empty($currentlang) || ($currentlang != 'english' && !file_exists(BASEDIR."install/language/$currentlang.php"))) {
$currentlang = 'english';
} |
change into
| Code:: |
if (empty($currentlang) || !preg_match('#^[a-z_]+$#', $currentlang) || ($currentlang != 'english' && !file_exists(BASEDIR."install/language/$currentlang.php"))) {
$currentlang = 'english';
} |
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Thu Feb 09, 2006 9:21 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote commands |
|
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
Jeruvy
Security Team
Offline
Joined: Apr 23, 2004
Posts: 1432
Location: Canada
|
Posted: Thu Feb 09, 2006 10:33 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
Excellent work, is there a new archive ready for download.
To my reading of this, yes IF the install.php is LEFT on the server, AND the person deals with the insecure error.php AND/OR [edit: corrected] can upload malicious PNG's (trivial) then this exploit will work.
Of course the thing to keep in mind is since the install.php does not delete itself, it's up to the user who may not be aware, nor read documents fully or perhaps may not understand and be afraid to delete files.
Just to add...a good idea would be in cmsinit.ini to check for the presence of the install dir, and load a page instead of main to remind the user to delete this. Prevent them from using the site proper while it exists.
Cheers!
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}
Last edited by Jeruvy on Thu Feb 09, 2006 10:47 pm; edited 2 times in total |
|
| Back to top |
|
|
Jordo
Newbie
Offline
Joined: Jan 31, 2005
Posts: 27
|
Posted: Thu Feb 09, 2006 10:37 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
I'm not reading it that way. I think the image upload is a seperate exploit from the error.php and install.php exploits.(hopefully I'm wrong though).
Mainly because of these lines.
| PHP: |
if (eregi("HiMaster!",$HtMl)) {echo "Exploit succeeded...<br>";die;}
else {echo "STEP 2 failed..., trying STEP 3...";}
#STEP 3 -> If STEP 2 failed, trying to upload a malicious .png file -> firstly login to retrieve a cookie
# and prepare an album to upload pictures in
if ($ULOGIN=="") {die("I need a valid username to launch STEP 3...");}
|
_________________
Jordo
www.jordomedia.com
Jordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.0.22/4.3.10/9.0.3
|
|
| Back to top |
|
|
Jeruvy
Security Team
Offline
Joined: Apr 23, 2004
Posts: 1432
Location: Canada
|
Posted: Thu Feb 09, 2006 10:43 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote commands |
|
Yes, the install.php is mandatory. The error.php and/or the malicious upload can cause the exploit. Sorry I wasn't clearer.
_________________
J.
j e r u v y a t y a h o o d o t c o m
Need help? Look here: www.dragonflycms.org/W...d=112.html
Need to chat? Look for me on irc.freenode.net
Jeruvy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Ubuntu7.10/Debian3.1 - 2.2.3/1.3.37 - 5.0.38/4.0.27 - 5.2.1/4.4.7 - CVS/9.1.2}
|
|
| Back to top |
|
|
Jordo
Newbie
Offline
Joined: Jan 31, 2005
Posts: 27
|
Posted: Thu Feb 09, 2006 10:45 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
| Jeruvy wrote: |
| Yes, the install.php is mandatory. The error.php and/or the malicious upload can cause the exploit. Sorry I wasn't clearer. |
Sometimes I like being wrong. Thanks!
_________________
Jordo
www.jordomedia.com
Jordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.0.22/4.3.10/9.0.3
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Thu Feb 09, 2006 11:22 pm
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote commands |
|
The coppermine uploading is still worked on.
This is an highly sophisticated script to get around server issues like open_base_dir and safe_mode that are cause by terrible server admins.
If we reverted to the original coppermine upload system this exploit is not there but will fail to work on many servers that are badly setup.
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
|
|
| Back to top |
|
|
pretzy
500+ Posts Club
Offline
Joined: Sep 09, 2005
Posts: 519
Location: Australia
|
Posted: Fri Feb 10, 2006 12:04 am
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
this thread dealing with a similar exploit to PhpGedView may be of interest https://sourceforge.net/forum/forum.php?thread_id=1411249&forum_id=185166
basically the exploit involved multiple attempted sign ins which were invaid, and therefore failed. The failed attempts contained code snippets which were written to an unprotected error log as a normal process of the software.
One the critical code had been loaded it was called by another command and the run code enabled the hacker to then install foreign files and scripts on the server.
Fortunately the exploit was only possible on a limited number of older versions running in index mode, without a database.
I'm sure the PhpGedView Devs will help with any inquiries if they can
_________________
Pretzy's Place Pertzel Family Tree History Genealogy
Riverlife Church Henty
pretzy's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
XP_Apache 2.2.2_MySQL 5.0.21_PHP 5.1.4_CPGNuke 9.1.1
|
|
| Back to top |
|
|
DJ Maze
Developer
Offline
Joined: Apr 19, 2004
Posts: 5683
Location: http://tinyurl.com/5z8dmv
|
Posted: Fri Feb 10, 2006 12:50 am
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
Here are the official 9.0.6.1 SF1 branch files:
dragonflycms.org/cvs/h...hp?b=9.6.2
dragonflycms.org/cvs/h...p?b=9.12.2
dragonflycms.org/cvs/h...p?b=9.15.2
dragonflycms.org/cvs/h...p?b=9.19.2
To get the full branch use:
| Code:: |
$ CVSROOT=:pserver:anonymous@dragonflycms.org:/cvs
$ cvs -q checkout -r Df-9_0_6_1-SF1 -P html |
Or wait till i get all other exploits we found in there.
[edit]
Also added a previous found XSS fix in there
[/edit]
DJ Maze's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora 15 / 2.2.22 / 5.5.20 / 5.3.10 / CVS
Last edited by DJ Maze on Fri Feb 10, 2006 1:10 am; edited 1 time in total |
|
| Back to top |
|
|
Jordo
Newbie
Offline
Joined: Jan 31, 2005
Posts: 27
|
Posted: Fri Feb 10, 2006 1:04 am
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
Thanks for your incredibly fast work DJ!
_________________
Jordo
www.jordomedia.com
Jordo's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/1.3.33/4.0.22/4.3.10/9.0.3
|
|
| Back to top |
|
|
tuta
Supporter
Offline
Joined: Jun 29, 2004
Posts: 465
Location: Houston
|
Posted: Fri Feb 10, 2006 3:18 am
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
| Jeruvy wrote: |
| Just to add...a good idea would be in cmsinit.ini to check for the presence of the install dir, and load a page instead of main to remind the user to delete this. Prevent them from using the site proper while it exists. |
I kinda like this idea -- but maybe just a section of the main admin page (where it usually tells you you have the most current version of DF) would be enough of a reminder....
_________________
SEARCH the WIKI
How to Port for Dragonfly
tuta's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Linux/Apache/MySQL 4.1.22/PHP 4.4.6/9.1.2.1
|
|
| Back to top |
|
|
tank
Gold Supporter
Offline
Joined: Apr 20, 2004
Posts: 824
Location: Houston, Texas USA
|
Posted: Sun Feb 12, 2006 3:40 am
Post subject: Re: Posted on Bugtraq -CPGNuke Dragonfly 9.0.6.1 remote comm |
|
Just to be clear.. we use these files to patch the existing 9.0.6.1 release? Thanks for the fast work!
_________________
Search is your friend
tank's server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS)
Fedora Core 1, Apache 1.3.33, Mysql 4.1.14, PHP 5.0.5 w/ APC cache, Dragonfly 9.0.6.1
|
|
| Back to top |
|
|
|
|
Forum FAQ
Log in to check your private messages
Login
Search
