exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Livezilla Code Execution / Local File Inclusion

Livezilla Code Execution / Local File Inclusion
Posted Nov 15, 2013
Authored by Curesec Research Team

Livezilla versions prior to 5.1.0.0 suffers from a local file inclusion vulnerability that allows for remote code execution.

tags | exploit, remote, local, code execution, file inclusion
advisories | CVE-2013-6225
SHA-256 | 0d889dda1d61a291e63c26f5eb8833f690853477131521889e5880c66ea203d1

Livezilla Code Execution / Local File Inclusion

Change Mirror Download
CVE-2013-6225: Security Advisory – Curesec Research Team

1. Introduction

Advisory ID: Cure-2013-1007
Advisory URL: https://www.curesec.com/de/veroeffentlichungen
/advisories.html
Blog URL: https://cureblog.de/2013/11/remote-code-execution-in-livezilla/
Affected Product: LiveZilla version 5.0.1.4
Affected Systems Linux/Windows
Fixed in: 5.1.0.0
Fixed Version Link:
https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe
Vendor Contact: support@livezilla.net
Vulnerability Type: Remote Code Execution / Local File Inclusion
Remote Exploitable: Yes
Reported to vendor 18.10.2013
Disclosed to public 15.11.2013
Release mode: Coordinated release
CVE: CVE-2013-6225
Credentials: crt@curesec.com

2. Vulnerability Description

Livezilla is a online chat system used on websites so customers can be
contacted by an employee ask their questions and get delivered what they
are looking for. The software itself is used basically in every industry.

Looking for possible affected systems google reveals: 1.500.000 results.

Inside the file ‘mobile/php/translation/index.php’ the following code
can be found:

$langFileLocation = ‘.’;
$LZLANG = Array();if (isset($_GET['g_language'])) {
$language = ($_GET['g_language'] != ”) ? $_GET['g_language'] : ‘ein’;
require ($langFileLocation . ‘/langmobileorig.php’);
$LZLANGEN = $LZLANG;
if (file_exists($langFileLocation . ‘/langmobile’ . $language . ‘.php’)) {
require ($langFileLocation . ‘/langmobile’ . $language . ‘.php’);
}

The ‘g_language’ GET parameter is not validated before using it in a php
require function call. This allows to include files that are stored on a
windows server. It is, in this case, not possible to include files, if
the php application is running on a linux server because ‘/langmobile’+
the language is not a directory and therefore cannot be traversed. In
recent PHP versions null bytes are blocked. This means that in this case
only files with the PHP extension can be included. Older PHP versions
will allow null bytes in the URL and therefore allow Remote Code
Execution attacks involving httpd log files or /proc/pid/environ and
other techniques to transform this Local File Inclusion into a full
Remote Code Execution on Windows and Linux.

On Windows systems with PHP versions installed that allow null bytes in
the URL it is possible to turn this local file inclusion vulnerability
to a full remote code execution vulnerability. This can be done by
traversing directories and accessing the apache log file with having the
injected the string that follows using a GET request into the log file.
As the screendump shows full code execution in this case executing
calc.exe on windows is possible.

A working exploit for this vulnerability is found in the Appendix of
this documents. The error.log or access.log path has to be known prior
to running the exploit.

3. Proof of Concept Codes:

Code execution URL sample:
$nc <target> 80
GET /index.php?test=<?php system($_GET[cmd]); ?> HTTP/1.1
Host: <target>
<return>
<return>

4. Solution

Download and install latest version:
https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe

5. Report Timeline

18.10.2013 Informed Vendor about Issue
12.11.2013 Vendor informed about the fixed new version
15.11.2013 Disclosed to public


Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close