Invision Power Board ‘core.php’ PHP Code Execution Vulnerability

Summary

Invision Power Board is prone to a vulnerability that lets remote attackers execute arbitrary code.

Credit:

The information has been provided by Egidio Romano.


Details

Vulnerable Systems:
 * Invision Power Services Invision Power Board 3.3.1 and prior

Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process.

POC:
Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
static public function get($name)
{
// Check internal data first
if ( isset( self::$_cookiesSet[ $name ] ) )
{
return self::$_cookiesSet[ $name ];
}
else if ( isset( $_COOKIE[ipsRegistry::$settings[‘cookie_id’].$name] ) )
{
$_value = $_COOKIE[ ipsRegistry::$settings[‘cookie_id’].$name ];

. if ( substr( $_value, 0, 2 ) == ‘a:’ )
{
return unserialize( stripslashes( urldecode( $_value ) ) );
}

The vulnerability is caused due to this method unserialize user input passed through cookies without a proper sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts with ‘a:’, but this is not sufficient to prevent a ‘PHP Object Injection’ because an attacker may send a serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code via the ‘__destruct()’ method of the ‘dbMain’ class, which calls the ‘writeDebugLog’ method to write debug info into a file. PHP code may be injected only through the $_SERVER[‘QUERY_STRING’] variable, for this reason successful exploitation of this vulnerability requires short_open_tag to be enabled.

Disclosure Timeline:
[21/10/2012] – Vulnerability discovered
[23/10/2012] – Vendor notified
[25/10/2012] – Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
[25/10/2012] – CVE number requested
[29/10/2012] – Assigned CVE-2012-5692
[31/10/2012] – Public disclosure

Categories: News