Ikonboard Cookie filter vulnerability

From: Chen Jun (chenjunat_private)
Date: Mon Oct 29 2001 - 22:56:55 PST

Next message: Boren, Rich (SSRT): "[Advisory] SSRT0766 Potential Buffer Overflow for Compaq Insight Manager XE (only)"

Previous message: snsadvat_private: "[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------------------------------------------------------------------------
Ikonboard Cookie filter vulnerability
---------------------------------------------------------------------------

Release infomation
------------------

Found   Date: 2001-9-03 
Release Date: 2001-10-30
Author: chenjunat_private
Homepage: http://www.netguard.com.cn


Description
-----------

   Ikonboard is a widely used web bbs program written by perl. The program contained a vulnerability, Remote attacker can exploit it and get a bbs administrator's privilege. In some environment, attacker may gain a nobody shell or gain the machine's privilege. 
   

Version and Platform
--------------------

Affected  Version: Ikonboard ib219 and all older version
Affected Platform: Windows,Linux, Solaris sparc, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.


Details
-------

File:Search.cgi
---[L.55-56]---
$inmembername     = cookie("amembernamecookie");
$filename = $inmembername;
---
As we can see, $inmembername is the get for cookie 'amembernamecookie'
---[L.66-]---
$searchfilename = "$ikondir" . "search/$filename";
---


---[L.124-131]---
    open (SEARCH, ">$searchfilename") or die "Cannot save to the search folder";
    print SEARCH "$CUR_TIME\n";
    print SEARCH "$SEARCH_STRING\n";
    print SEARCH "$TYPE_OF_SEARCH\n";
    print SEARCH "$REFINE_SEARCH\n";
    print SEARCH "$FORUMS_TO_SEARCH\n";
    close (SEARCH);
---

---
Well, it sets the file, runs it through the filter and opens it.
-> $cookie("amembernamecookie");, remember?! ;)

Here the variable $filename come from Cookie amembernamecookie not filter "..", attacker can sent a fake cookie("amembernamecookie"), set up or edit the file on the system, because the write file variable not filter, so the attacker can write any content to the file, and gain the bbs administrator's privilege.

On UNIX like system, if you system is php enable, you can use the upload function, upload a php script to run command.

On Windows system, because it's weakness of runing perl script, attacker can use this vulnerability set up a perl script to run command.

Prove-Of-Concept exploit
------------------------

wait for vendor fix it first ;)

Workaround
----------

1.about the Cookie
at file Search.cgi before line 56 $filename = $inmembername;
add below:
$inmembername =~ s/\///g;
$inmembername =~ s/\.\.//g;

2.filter all write file variable 

Vendor information
------------------

Vendor was informed at 2001-10-29
Vendor Homepage: http://www.leoboard.com


About Netguard
--------------

China Net Security Technology Corporation (CNTC) is a leading provider of computer network and information security services in China.

Copyright 2001 http://www.netguard.com.cn, All rights reserved.

Next message: Boren, Rich (SSRT): "[Advisory] SSRT0766 Potential Buffer Overflow for Compaq Insight Manager XE (only)"
Previous message: snsadvat_private: "[SNS Advisory No.46]IBM AIX dtprintinfo Buffer Overflow Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 10:15:32 PST