Sunday, January 23, 2011

e107 Remote Code Execution via BBCode (aka Attacking Flaws in BBCode)


Due to the sole reason of providing full capability and control over application, nowadays' web developers provide a feature that allows application admin users to run arbitrary PHP codes via applications. e107 CMS is not the only one. Drupal CMS also has this feature.

$text = preg_replace("#\[(php)#i", "[\\1", $text);

PoC exploit is noted as:

POST /contact.php HTTP/1.1
Host: xxxx
User-Agent: e107 0.7.20 Remote Code Execution Exploit
Content-Type: application/x-www-form-urlencoded
Content-Length: 65



Similarly, AEF (Advanced Electron Forum)  had flawed bbCode implementation as shown by GulfTech Security Research.

//Email Links

$text = preg_replace(
array('check_email("$1", "$2")',
'check_email("$1", "$1")'), $text);


PoC exploit is noted as:

Lessons Learnt:

Featuring arbitrary code execution capability for privileged users in application means if attackers can take control over an admin user account, it means they compromise the user account of that web application on the server. This aids them to launch further attacks on the server as a whole.  Manipulating strings that come from RegExp-based replacement is dangerous if these strings are placed into user definable functions, eval and the like.

In source code auditing project, it's necessary to suggest developers to disable/remove this feature. If this is a business/must-have requirement, list all such application features that pose as high risk and allow attackers to shell access upon compromise of admin user account. These features may include (but not limited to):

1. File and Directory Operations (File Upload/Delete/Create, Directory Delete/Browse)
2. Running executable programs fed by users' input.
3. Arbitrary Operating System Command Execution Feature for privileged users
4. Arbitrary Database Command Execution Feature for privileged users

Get authentication_checker function (i.e is_admin, is_user, is_anonymous). Examine this function to make sure that developers check it at each entry of such risky features.

No comments:

Post a Comment