An iGENUS email system security check

Hackerxwar/gle [0x50]

This article is the first line of the black line of defense. The copyright belongs to the author and the black line defense. Do not repost it without your permission.

IGENUS is a widely used WebMail System for Linux operating systems. The installation program can be quickly installed on CentOS Linux 3.x/ 4.x and RedHat Enterprise Linux AS3/AS4 operating systems. The interface is gorgeous and easy to install, but there are serious security problems.

Local file inclusion vulnerability discovered

Because it is not an open source software, it can only be tested in a black box. The local file inclusion vulnerability is found on the logon page, as shown in figure 1.
The vulnerability is similar to "include ('language /'. $ _ GET [lang]. "_ inc. php ")", which usually involves file truncation, unless we can control a '* _ inc. php file content.

Figure 1

About Include Truncation

In this case, we can use NULL characters for truncation. For remote inclusion, we can also use "?" Pseudo truncation is implemented. However, due to the influence of GPC -- magic_quotes_gpc = on, all '(single quotes), "(double quotation marks) submitted through (GET, POST, and COOKIE ), both (backslash) and NULL characters are automatically added with a backslash to escape), because the NULL character (% 00) is changed '′, therefore, when magic_quotes_gpc = on, it fails to include/etc/passwd files. Therefore, when GPC is enabled, we can hardly exploit the local file inclusion vulnerability to be truncated. However, 80vul's Daniel found an include truncation method and provided a fuzz applet. If you are interested, you can test it yourself:
--------
<? Php

////////////////////

/// Var5.php code:

/// Include $ _ GET [action]. ". php ";

//// Print strlen (realpath ("./") + strlen ($ _ GET [action]);

///////////////////

Ini_set ('max _ execution_time ', 0 );

$ Str = ";

For ($ I = 0; I I <50000; $ I ++)

{

$ Str = $ str ."/";

$ Resp = file_get_contents ('HTTP: // 127.0.0.1/var/var5.php? Action=1.txt '. $ str );

// The code in 1.txt is print 'Hi ';

If (strpos ($ resp, 'Hi ')! = False ){

Print $ I;

Exit;

}

}

?>
Tested character ". ","/", or a combination of two characters will be truncated at a certain length. The length of the win system is different from that of the * nix system. When the strlen (realpath (". /) + strlen ($ _ GET [action]) is truncated when the length is greater than 256. For * nix, the length is 4*1024 = 4096.
------------
LFI vul exploitation Attempt

Let's proceed without the include truncation. For the local file inclusion vulnerability, the local file needs to be included to execute php code, so I naturally find the place to upload. Since it is an email system, we have registered a user who can upload attachments or receive emails with attachments. After the test, the website only enables registration of the paid vip.xxxx.com domain name, and cannot directly log on after registration, prompting that this user name is not available, vip.xxxx.com does not actually register successfully, or you need to pay, then the administrator can activate the service. In this case, the problem becomes more and more troublesome.

After scanning the Directory and Google "site: xxx.com", little information was obtained and no useful information was found.

The method to use is to write the log file and then contain the log to execute the code. Generally, the error log is contained because it is relatively small, however, the Administrator apparently modified the Log Path, or did not enable the logging function at all, and could not find the path to include it.
SirGod, a paper (http://www.milw0rm.com/papers/361) published on milw0rm.com, provides a new way to include/proc/self/environ, then, you can modify the User-Agent to write php code and execute the Code. This method has been successfully tested on other servers, but this time the character is not good, the returned result is like a blank page, as shown in Figure 2. We obviously cannot access/proc/self/environ.
The intrusion seems deadlocked because there is no way to successfully exploit the local file inclusion vulnerability.

Figure 2

Form variable filtering vulnerability

Is there really no way to use it? After a while, I returned to the registration page again to find some hidden vulnerabilities.
On the logon page, you can find two types of Logon domains: xxxx.com and vip.xxxx.com. As shown in 3, the drop-down list on the registration page only provides registration of a vip.xxxx.com domain, free xxxx.com domain registration is not allowed. Let me see if I can register a mailbox for xxxx.com.

Figure 3

View the source code of the select domain drop-down box on the registration page:

<SELECT>
<OPTION value = ">-select a domain-</OPTION>
<OPTION value = vip.xxxx.com> vip.xxxx.com </OPTION> </SELECT>

If the program does not limit the submitted $ _ POST [domain], you can see it.
There are many ways to modify the Data submitted in this form. For example, it is very convenient to save the html modification source code locally or use firefox with the Tamper Data plug-in. If you have a special liking for packet capture, you can also use nc to submit the Data, another method is to execute a javascript code in the browser address bar,
Clear the address bar and enter the following code and press Enter:

Javascript: alert (document. forms [0]. domain [1]. value = 'xxxx. com ');

'Xxxx. com ', and then fill in the user name. Select vip.xxxx.com for the domain (its value has been changed to 'xxxx. com '), click Next to determine the user name and domain, and the expected result is displayed.

Figure 4

The cause of this vulnerability is the same as that of using javascript to check the extension of the uploaded file during upload. No matter how the client checks it, it is in vain as long as the server does not check it, because we can submit form variables in the form of abnormal users.
Fill in the relevant information, complete the registration, prompt you can log on immediately, with the registered x50@xxxx.com successfully logged on to the mailbox system, but the long march just completed the first step.
The next step is to find the place where the attachment is uploaded and upload the attachment. Create a local 0x50_inc.php file to write "<? Phpinfo () ;?> ", Write an email, upload an attachment, and then send it to yourself (because the system does not support firefox well and the display is a bit abnormal, otherwise you can directly upload the attachment and save the draft, of course you can use gmail, 126, and so on to upload other emails and then send them to the x50@xxxx.com), 5 shown.

Figure 5

Attachment File Path leakage Vulnerability

We opened the email and we can easily see the attachment:

Http://mail.xxxx.com/mail_mime.php? Cmd = Download & File = 0x50_inc.php & MimeType = application/octet-stream & Size = 14

The attachment 0x50_inc.php can be downloaded from the address above the browser request. This URL is easily reminiscent of the Arbitrary File Download Vulnerability?
Submit

Http://mail.xxxx.cn/mail_mime.php? Cmd = Download & File = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd & MimeType = application/octet-stream & Size = 514

After submitting the file, download it to a passwd file. Open it and you will find that it is not the/etc/passwd file, but the following content:
Error open/home/temp/xxxx.com/2/l/x50/passwd
The basename function is used for filtering, but this also gives us a very important piece of information-the absolute path of the attachment file. It seems that display_errors = on.
Because the path of the attachment on the server is not a Web directory, we cannot directly execute our php code, but we can include the attachment through the local file inclusion vulnerability.

Successful exploitation of local File Inclusion Vulnerability

Then we will include our attachments. Because the file name we submitted is 0x50_inc.php, and this system does not limit the file name, we can ignore the impact of GPC on the use of this file inclusion vulnerability without the need to Include truncation. Directly request the following URL:

Http://mail.xxxx.com/login.php? Lang =.../../home/temp/xxxx.com/2/l/x50/037950

Successfully executed <? Phpinfo () ;?>, 6 ,. the next thing is very simple. Uploading our webshell, or directly Rebounding the mongoshell, and then raising the right is all done as you wish. I don't like it much.

Figure 6
Summary after getting the shell

The successful use of lfi sometimes requires many restrictions. For this successful use of the local file inclusion vulnerability to get the shell, although the previous lfi usage failed. Because a simple form variable is not strictly filtered, we can register an email domain that is not allowed to be registered, and then upload the attachment. Because there is no fault tolerance statement, the path of the attachment is exposed. However, I found that many local mailboxes cannot be successfully registered.