Wednesday, March 20, 2013

Local File Inclusion Vulnerability in bugs.owncloud.org - CVE-2013-1761


Last year when i was finding vulnerabilities in owncloud.org i came across a Local file inclusion vulnerability in one of the subdomains of owncloud.org

A Little more insight on LFI:
Its a vulnerability which allows to read files which are present locally on the server having read permissions or one can also call it a dynamic execution of interpreted code loaded from a file . The attack can be serious when the application allows to read files which are located outside the root directory, which can be done using characters like ../../../../../../  or a ..%2F..%2F..%2F..%2F . This is actually to traverse outside the root directory and to access the files system.
Few php LFI examples:
<?php $test = $_GET['id']; 
 if(isset($test)) { include("pages/$test"); }
 else { include("index.php"); }
?>
In the above example the id parameter is not sanitized to filter out malicious characters like "..%2F", It is easily possible to access any file which is locally stored on the system outside the root directory.

Now coming back to owncloud the  website was bugs.owncloud.org and there was a parameter named "files=" which would fetch the requested file from the server. The parameter was not validating the user input at the server end so it was pretty simple to read any local files having read permissions.

Vulnerable URL: http://bugs.owncloud.org/thebuggenie/serve&g=css&files=

The "files" parameter was taking a base64 encoded value which was further decoded at the server end. So i encoded the value for ../../../../../../etc/passwd as Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA== and accessed it "http://bugs.owncloud.org/thebuggenie/serve&g=css&files=Li4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==" this read out the most important file from the server.

I reported the vulnerability to owncloud and they replied saying its a issue with "The Bug Genie". Lukas Reschke helped me to get in touch with the Bug Genie developers. They realized the criticality of the bug and quickly rolled out a fix within a week and assigned me a CVE id "CVE-2013-1761". They also acknowledged my contribution on their new software release here.

I also want to mention Lukas Reschke for helping me get a CVE id.

3 comments:

  1. seems quite impressive....keep sharing if u get nythn else on this....

    ReplyDelete
  2. Prajal,

    Great job. Keep it up!

    Can you recommend a tool to check LFI vulnerabilities? I'd like to try it out on my site/application.

    Krishna

    ReplyDelete
  3. Thanks @krishna. Try using a decent cheat sheet wouldn't recommend a tool for LFI. Any ways try your hands on http://www.xenuser.org/tools/lfi_sploiter.py Tell me if this sufficed.

    ReplyDelete