News from the Lab: ePing Arbitrary File CreationCommand Execution Vulnerability

Monday, October 16, 2006

ePing Arbitrary File CreationCommand Execution Vulnerability

OS2A ID: OS2A_1001    Status      Published: 08/04/2005 
Updated : 08/05/2005
Patch Released

Class: File Creation/Command Execution
Severity: CRITICAL


Overview:
ePing is a ping utility plugin for e107, a PHP-based content
management system that uses a MySQL backend database. ePing
versions 1.02 and prior are vulnerable to a file creation
vulnerability caused by improper validation of user-supplied
input in the doping.php script. A remote attacker exploiting
this vulnerability could then create an arbitrary file in the
webserver, pipe multiple system commands in the eping_host
or the eping_count parameters of the doping.php script, which
would be executed within the security context of the hosting
site.

eTrace, another utility plugin for e107 has similar
vulnerabilities.

Description:
e107 portal's eping plugin 1.02 and prior is prone to remote
command execution vulnerability. This vulnerability exists
due to output redirection operators like '>', '|', '&' are
not being sanitized in eping_host,eping_count parameters in
the doping.php script.

eping_host has a validate function in functions.php which does
not consider the above mentioned case.

eping_count has no validation logic. It accepts the above
mentioned system meaningful characters.


Impact:
A remote user can execute any command using '|' character or
create a file with malicious executable code with '>' character.
Execution of arbitrary command or creation of arbitrary files
can lead to, Denial of service, Disclosure or modification of
system information or Execution of arbitrary code.


Affected Systems:
ePing version 1.02 and prior
Linux (Any), Unix (Any), Windows (Any)


Exploit:

a.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2%20%22%3C?php%20system(%94cmd
.exe%94)?%3E%22%20%3Etest.php

b.
http://example.com/e107/e107_plugins/eping/doping.php?eping_cmd=ping
%20-n&eping_host=127.0.0.1&eping_count=2|dir


Solution:
Patch:
Upgrade to the version 1.03 of ePing and eTrace plugins.

Reference:
http://marc.theaimsgroup.com/?l=bugtraq&m=112328161319148&w=2

1 Comments:

At 5:19 PM, Blogger Paopao Wang said...

hey,you create a nice blog! I like it very much. Let's make a friend link. Go and have a look at my blog:
http://loooooong.blogspot.com
http://extra-money-earning.blogspot.com
http://related-mesothelioma.blogspot.com
http://www.soulcast.com/longlong29199
WELCOME!

 

Post a Comment

<< Home