Author: lorexxar '@ zhichuangyu 404 laboratory date: September 30, 2017
On September 29, 2017, Discuz! Fixed a security issue to enhance security, which could lead to the vulnerability that the foreground user could cause arbitrary deletion of files.
On September 29, 2017, it was known that Chuangyu 404 laboratory started emergency response. After analysis and confirmation by Chuangyu 404 laboratory, the vulnerability was submitted to wooyunvulnerability platform in June 2014. Seebug vulnerability platform included the vulnerability with vulnerability number of ssvid-93588. The vulnerability causes arbitrary file deletion by configuring property values.
After analysis, it is confirmed that the original utilization mode has been fixed, and the judgment of attribute formtype has been added, but the repair mode is not complete, so it can be bypassed. Other unlink conditions can be entered through simulated file upload to achieve arbitrary file deletion vulnerability.
Log in to DZ foreground account and create a new test.txt in the current directory for testing
request
After the modification, the birthplace will change to.. /.. / test.txt
The construction request uploads files to home. PHP? Mod = spacecp & AC = profile & OP = base (just ordinary pictures)
File deleted after request
The core problem is in "upload / source / include / spacecp / spacecp" profile.php
Follow code 70 lines
Enter judgment when submitting profilesubmit, followed by 177 lines
We found that if the type of a certain formtype in the configuration file is file, we can enter the judgment logic. Here, we try to output the configuration
We find that the formtype field is not consistent with the condition, and the logic of the code can no longer go in
Let's look at the changes of this fix. You can see that 228 lines introduce the statement unlink again
Backtracking entry conditions
When the file is uploaded and successfully uploaded, you can enter the unlink statement
Then backtrack the variable $space [$key], and it's not hard to find that this is the user's personal settings.
As long as you find a variable that you can control, here you choose birthpath.
You can bypass the limitation of field content by submitting directly on the settings page.
Successfully deleted any file
After updating the code change and tracking the vulnerability point logic, we gradually found that the vulnerability point was submitted to wooyunplatform by white hat in 2014, vulnerability No. wooyun 2014-065513.
Due to the incomplete code update process of the old version of DZ, there is no way to find the corresponding patch. Back to the 2013 version of DZ3, we found the old vulnerability code
In white hat, we can control the uncontrollable variables by setting personal settings, and put forward one of the ways to use.
The manufacturer only fixed the white hat attack POC, which caused the vulnerability to burst again a few years later, DZ completely deleted this part of the code
During this period, the attitude of manufacturers to solve safety problems is worth rethinking
A kind of
Related links
[1] Discuz! Official website: http://www.discuz.net
[2] Discuz! Update https://gitee.com/comsenzdiscuz/discuzx/commit/7d603a197c271ef1d7e9ba654cf72aa42d3e574
[3] Included address of seebug vulnerability platform: https://www.seebug.org/vuldb/ssvid-93588
Made by Chuangyu 404 Laboratory
Please contact back office for Reprint:)
Previous hot
- On PHP format string from WordPress sqli
On PHP format string from WordPress sqli
- D-Link router information disclosure and remote command execution vulnerability analysis and global data analysis report
D-Link router information disclosure and remote command execution vulnerability analysis and global data analysis report
- XStream Remote Code Execution Vulnerability of struts 2 rest plug-in s2-052 (cve-2017-9805)
XStream Remote Code Execution Vulnerability of struts 2 rest plug-in s2-052 (cve-2017-9805)
- Dry goods | kcon hacking conference 2017 topic ppt launch!
Dry goods | kcon hacking conference 2017 topic ppt launch!
☑ read the original text and view seebug paper