bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
78 lines
No EOL
3.6 KiB
Text
78 lines
No EOL
3.6 KiB
Text
PEAR LiveUser Arbitrary File Access
|
|
|
|
Vendor: Markus Wolff
|
|
Product: PEAR LiveUser
|
|
Version: <= 0.16.8
|
|
Website: http://pear.php.net/package/LiveUser/
|
|
|
|
BID: 16761
|
|
CVE: CVE-2006-0869
|
|
OSVDB: 23495 23496
|
|
PACKETSTORM: 44140
|
|
|
|
Description:
|
|
LiveUser is a user authentication and permission management framework that is part of php's PEAR Library. LiveUser has many different features, including the ability to remember a user via cookies. Unfortunately there is an issue with how extracted cookie data is handled by the LiveUser library within the remember feature which makes it possible for an attacker to gain access to, and even delete potentially sensitive files on the webserver. An updated version of the LiveUser framework has been released, and users are advised to upgrade to LiveUser 0.16.9
|
|
|
|
|
|
Arbitrary File Access:
|
|
There is an arbitrary file access vulnerability in PEAR LiveUser that allows an attacker to access arbitrary files on the server
|
|
$cookieData = $_COOKIE[$this->_options['cookie']['name']];
|
|
if (strlen($cookieData) < 65
|
|
// kill all old style remember me cookies
|
|
|| (strpos($cookieData, ':') && strpos($cookieData, ':') < 64)
|
|
) {
|
|
// Delete cookie if it's not valid, keeping it messes up the
|
|
// authentication process
|
|
$this->deleteRememberCookie();
|
|
$this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
|
|
'Wrong data in cookie store in LiveUser::readRememberMeCookie()');
|
|
return false;
|
|
}
|
|
|
|
$store_id = substr($cookieData, 0, 32);
|
|
$passwd_id = substr($cookieData, 32, 32);
|
|
$handle = substr($cookieData, 64);
|
|
|
|
$dir = $this->_options['cookie']['savedir'];
|
|
|
|
$fh = @fopen($dir . '/' . $store_id . '.lu', 'rb');
|
|
if (!$fh) {
|
|
$this->deleteRememberCookie();
|
|
$this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
|
|
'Cannot open file for reading');
|
|
return false;
|
|
}
|
|
|
|
$fields = fread($fh, 4096);
|
|
fclose($fh);
|
|
if (!$fields) {
|
|
$this->deleteRememberCookie();
|
|
$this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
|
|
'Cannot read file');
|
|
return false;
|
|
}
|
|
|
|
The above code is taken from LiveUser.php @ lines 1269-1303 and clearly shows the $store_id variable being assigned unsanitized data, which is passed to an fopen called shortly thereafter. The good news is that as far as I can tell this issues can not be abused in a real world scenario much further than enumerating file existance on the local filesystem.
|
|
|
|
|
|
Arbitrary File Deletion:
|
|
Similar to the previously mentioned issue, this vulnerability may allow a malicious user to delete arbitrary files on the local server by supplying malicious cookie data.
|
|
$cookieData = $_COOKIE[$this->_options['cookie']['name']];
|
|
if (strlen($cookieData) < 65) {
|
|
$this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
|
|
'Wrong data in cookie store in LiveUser::deleteRememberCookie()');
|
|
return false;
|
|
}
|
|
|
|
$store_id = substr($cookieData, 0, 32);
|
|
@unlink($this->_options['cookie']['savedir'] . '/'.$store_id.'.lu');
|
|
|
|
The above code is also taken from LiveUser.php and resides @ lines 1343-1351. Here we see user supplied data being used in an unlink call which could allow an attacker to delete arbitrary files on the local server by traversing out of the cwd and terminating the fopen call with a null byte.
|
|
|
|
|
|
Solution:
|
|
An updated version of the LiveUser framework has been released to address these issues. The current release is LiveUser 0.16.9 and users should update their LiveUser libraries as soon as possible. Special thanks to Lukas Smith for a very prompt resolution!
|
|
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team |