LiveZilla version 5.0.1.4 - Remote Code Execution

SUBMITTED BY: Guest

DATE: Nov. 24, 2013, 11:45 p.m.

FORMAT: Text only

SIZE: 3.6 kB

Raw Download

HITS: 1964

Report
  1. CVE-2013-6225: Security Advisory – Curesec Research Team
  3. 1. Introduction
  5. Advisory ID: Cure-2013-1007
  6. Advisory URL: https://www.curesec.com/de/veroeffentlichungen
  7. /advisories.html
  8. Blog URL: https://cureblog.de/2013/11/remote-code-execution-in-livezilla/
  9. Affected Product: LiveZilla version 5.0.1.4
  10. Affected Systems Linux/Windows
  11. Fixed in: 5.1.0.0
  12. Fixed Version Link:
  13. https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe
  14. Vendor Contact: support@livezilla.net
  15. Vulnerability Type: Remote Code Execution / Local File Inclusion
  16. Remote Exploitable: Yes
  17. Reported to vendor 18.10.2013
  18. Disclosed to public 15.11.2013
  19. Release mode: Coordinated release
  20. CVE: CVE-2013-6225
  21. Credentials: crt@curesec.com
  23. 2. Vulnerability Description
  25. Livezilla is a online chat system used on websites so customers can be
  26. contacted by an employee ask their questions and get delivered what they
  27. are looking for. The software itself is used basically in every industry.
  29. Looking for possible affected systems google reveals: 1.500.000 results.
  31. Inside the file ‘mobile/php/translation/index.php’ the following code
  32. can be found:
  34. $langFileLocation = ‘.’;
  35. $LZLANG = Array();if (isset($_GET['g_language'])) {
  36. $language = ($_GET['g_language'] != ”) ? $_GET['g_language'] : ‘ein’;
  37. require ($langFileLocation . ‘/langmobileorig.php’);
  38. $LZLANGEN = $LZLANG;
  39. if (file_exists($langFileLocation . ‘/langmobile’ . $language . ‘.php’)) {
  40. require ($langFileLocation . ‘/langmobile’ . $language . ‘.php’);
  41. }
  43. The ‘g_language’ GET parameter is not validated before using it in a php
  44. require function call. This allows to include files that are stored on a
  45. windows server. It is, in this case, not possible to include files, if
  46. the php application is running on a linux server because ‘/langmobile’+
  47. the language is not a directory and therefore cannot be traversed. In
  48. recent PHP versions null bytes are blocked. This means that in this case
  49. only files with the PHP extension can be included. Older PHP versions
  50. will allow null bytes in the URL and therefore allow Remote Code
  51. Execution attacks involving httpd log files or /proc/pid/environ and
  52. other techniques to transform this Local File Inclusion into a full
  53. Remote Code Execution on Windows and Linux.
  55. On Windows systems with PHP versions installed that allow null bytes in
  56. the URL it is possible to turn this local file inclusion vulnerability
  57. to a full remote code execution vulnerability. This can be done by
  58. traversing directories and accessing the apache log file with having the
  59. injected the string that follows using a GET request into the log file.
  60. As the screendump shows full code execution in this case executing
  61. calc.exe on windows is possible.
  63. A working exploit for this vulnerability is found in the Appendix of
  64. this documents. The error.log or access.log path has to be known prior
  65. to running the exploit.
  67. 3. Proof of Concept Codes:
  69. Code execution URL sample:
  70. $nc <target> 80
  71. GET /index.php?test=<?php system($_GET[cmd]); ?> HTTP/1.1
  72. Host: <target>
  73. <return>
  74. <return>
  76. 4. Solution
  78. Download and install latest version:
  79. https://www.livezilla.net/downloads/pubfiles/LiveZilla_5.1.0.0_Full.exe
  81. 5. Report Timeline
  83. 18.10.2013 Informed Vendor about Issue
  84. 12.11.2013 Vendor informed about the fixed new version
  85. 15.11.2013 Disclosed to public
comments powered by Disqus