LB5000 Cookie filter vulnerability

From: Chen Jun (chenjunat_private)
Date: Mon Oct 29 2001 - 22:56:55 PST

Next message: snsadvat_private: "[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability"

Previous message: Roman Drahtmueller: "SuSE Security Announcement: squid (SuSE-SA:2001:037)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------------------------------------------------------------------------
LB5000 Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjunat_private
Homepage: http://www.netguard.com.cn


Description
-----------

   LB5000 is a web bbs program written by perl, It's widely use in Chinese. The program contained a vulnerability, Remote attacker can exploit it and get a bbs administrator's privilege. In some environment, attacker may gain a nobody shell or gain the machine's privilege. 
   

Version and Platform
--------------------

Affected  Version: LB5000II v1029 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.


Details
-------

File:Search.cgi
---[L.59-60]---
$inmembername     = $query->cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.71-]---
$searchfilename = "$lbdir" . "search/$filename";
---
---[L.134-140]---
    open (SEARCH, ">$searchfilename") or die "不能够保存到 search 目录，请设置此目录为 777 ！";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---
---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", attacker can sent a fake cookie("amembernamecookie"), set up or edit the file on the system, because the write file variable not filter, so the attacker can write any content to the file, and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this vulnerability set up a perl script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 60 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer network and information security services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.

Next message: snsadvat_private: "[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability"
Previous message: Roman Drahtmueller: "SuSE Security Announcement: squid (SuSE-SA:2001:037)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 10:04:31 PST