exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

overtheledger.txt

overtheledger.txt
Posted Mar 20, 2007
Authored by Chris Travers

LedgerSMB versions below 1.1.10 and SQL-Ledger versions below 2.6.27 suffer from arbitrary code execution flaws. SQL-Ledger also suffers from an authentication bypass vulnerability. Details provided.

tags | exploit, arbitrary, code execution, bypass
SHA-256 | b02d142d543c4e1b63e89850d09320c110d56c8a7b6b58ce6ea7b5cc79a90ff8

overtheledger.txt

Change Mirror Download
Hi;

Affected versions:
LedgerSMB < 1.1.10 (but see below), current is 1.1.11
SQL-Ledger < 2.6.27 (but see below). Current is 2.6.27

Effects: Arbitrary code execution (both products) and authentication
bypass (SQL-Ledger only).

We have discovered yet another major security issue in both SQL-Ledger
(for affected versions, see below) and LedgerSMB (<1.1.10, but see
below). The problem exists because the login input variable is not
properly checked, and the software runs a perl script derived from the
login name. If the script completes and a password is set, the password
is checked. In LedgerSMB, an additional check is made against a session
table, which will cause the script to go no further, but in SQL-Ledger,
this can also result in authentication bypass.

Affected Versions:
Unfortunately, both projects suffered problems with their security
fixes. The LedgerSMB team failed to update their version strings
properly so 1.1.10 will still display 1.1.9 as its running version.

To differentiate, you can use md5sum on the LedgerSMB/Form.pl
c9621e0ed0fd633663e1be3c6d5b08c4 ledger-smb-1.1.10/LedgerSMB/Form.pm
c311f02eaeee9e0638cbe08a650ab86d ledger-smb-1.1.9/LedgerSMB/Form.pm

The SQL-Ledger case is probably worse. The initial release of 2.6.27
included an inadequate and broken fix. A new security fix was issued
later that day, but it is unclear when all mirrors were updated, and
users who downloaded that version cannot be sure that they got one that
was not vulnerable. The initial security fix offers little safety:
authentication bypass and arbitrary code execution are still largely
possible though perhaps not at the same time (as they were before).

The following md5sum's reflect whether 2.6.17 was patched or not:
e97dc79c171a45bb794e253f94caef49 is unpatched
2a2dc05d5ac7085bd9e6aaa7098e1bf1 is patched.

How the exploit works:

SQL-Ledger and their derivatives (including LedgerSMB < forthcoming
1.2.0), store login state information in a machine-writable perl script
in a configurable location (by default users/). This file is read on
each page load and is named [username].conf. This file contains a hash
definition which is then used to validate the user's authentication
token. No provisions are taken to prevent directory transversal prior
to these fixes, however.

One can form a URL like:
http://localhost/sql-ledger/am.pl?login=../../../home/user/foo.pl%00&action=add_department

This causes the web server to execute ../../home/user/foo.pl (the %00
gets translated into a terminating NULL) and will then either allow
access (in SQL-Ledger < 2.6.27) or provide an error. In the faulty
versions of 2.6.27 and vulnerable versions of LedgerSMB, it will still
execute the script however.

The faulty version of SQL-Ledger have a major oversight, however, that
lends well to testing. Because the only check is on the NUL and not on
the signs of directory transversal, you can test the authentication
bypass and get access to sensitive configuration (including obfuscated
but unencrypted database passwords and application password hashes). A
sample URL for this is:
http://localhost/sql-ledger/am.pl?login=../sql-ledger&path=bin/mozilla&action=edit_template&file=users/members

This works because there is usually a Perl script named sql-ledger.conf
in the directory above where these scripts are normally stored. So the
username forces the execution of that script, doesn't find a password,
and so allows the user in. Lovely....

Best Wishes,
Chris Travers
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close