Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] PEAR LiveUser Arbitrary File Access

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] PEAR LiveUser Arbitrary File Access
Date: 22 Feb 2006 17:06:17 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  PEAR LiveUser Arbitrary File Access
------------------------------------------------------------------------


SUMMARY

 <http://pear.php.net/package/LiveUser/> LiveUser is a user authentication 
and permission management framework that is part of php's PEAR Library. 
LiveUser has many different features, including the ability to remember a 
user via cookies.

There is a file access vulnerability in PEAR LiveUser that allows an 
attacker to access arbitrary files on the server.

DETAILS

Vulnerable Systems:
 * PEAR LiveUser versions 0.16.8 and prior.

There is an issue with how extracted cookie data is handled by the 
LiveUser library within the remember feature, which makes it possible for 
an attacker to gain access to, and even delete potentially sensitive files 
on the webserver.

Arbitrary File Access:
$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65
     // kill all old style remember me cookies
     || (strpos($cookieData, ':') && strpos($cookieData, ':') < 64)
) {
     // Delete cookie if it's not valid, keeping it messes up the
     // authentication process
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
         'Wrong data in cookie store in 
LiveUser::readRememberMeCookie()');
     return false;
}

$store_id = substr($cookieData, 0, 32);
$passwd_id = substr($cookieData, 32, 32);
$handle = substr($cookieData, 64);

$dir = $this->_options['cookie']['savedir'];

$fh = @fopen($dir . '/' . $store_id . '.lu', 'rb');
if (!$fh) {
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
         'Cannot open file for reading');
     return false;
}

$fields = fread($fh, 4096);
fclose($fh);
if (!$fields) {
     $this->deleteRememberCookie();
     $this->_stack->push(LIVEUSER_ERROR_CONFIG, 'exception', array(),
         'Cannot read file');
     return false;
}

The above code is taken from LiveUser.php @ lines 1269-1303 and clearly 
shows the $store_id variable being assigned unsanitized data, which is 
passed to an fopen called shortly thereafter. The good news is that as far 
as I can tell this issues can not be abused in a real world scenario much 
further than enumerating file existence on the local filesystem.

Arbitrary File Deletion:
Similar to the previously mentioned issue, this vulnerability may allow a 
malicious user to delete arbitrary files on the local server by supplying 
malicious cookie data.

$cookieData = $_COOKIE[$this->_options['cookie']['name']];
if (strlen($cookieData) < 65) {
     $this->_stack->push(LIVEUSER_ERROR_COOKIE, 'error', array(),
         'Wrong data in cookie store in 
LiveUser::deleteRememberCookie()');
     return false;
}

$store_id = substr($cookieData, 0, 32);
@unlink($this->_options['cookie']['savedir'] . '/'.$store_id.'.lu');

The above code is also taken from LiveUser.php and resides @ lines 
1343-1351. Here we see user supplied data being used in an unlink call 
which could allow an attacker to delete arbitrary files on the local 
server by traversing out of the cwd and terminating the fopen call with a 
null byte.

Patch Availability:
An updated version of the LiveUser framework has been released to address 
these issues.
The current release is LiveUser 0.16.9 and users should update their 
LiveUser libraries as soon as possible.


ADDITIONAL INFORMATION

The original article can be found at:  
<http://www.gulftech.org/?node=research&article_id=00103-02212006> 
http://www.gulftech.org/?node=research&article_id=00103-02212006



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] PEAR LiveUser Arbitrary File Access, SecuriTeam <=
Previous by Date:  [REVS] HTTP Response Smuggling, SecuriTeam
Next by Date:  [NT] NJStar Word Processor Font Names Buffer Overflow, SecuriTeam
Previous by Thread:  [REVS] HTTP Response Smuggling, SecuriTeam
Next by Thread:  [NT] NJStar Word Processor Font Names Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]