[39141] in bugtraq
Re: Arbitrary code execution in eping plugin
daemon@ATHENA.MIT.EDU (exon)
Mon Jun 13 14:58:32 2005
Message-ID: <42AC1F18.50505@home.se>
Date: Sun, 12 Jun 2005 13:40:08 +0200
From: exon <exon@home.se>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <20050611201509.27599.qmail@securityfocus.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
oliver@codersquad.de wrote:
> Hello,
>
> the problem is in function eping_validaddr() in functions.php where the host is checked if it is valid as the name says...
> But the only check is to see if it is a valid ip adress for eping, here is the code:
>
> --------------8<-----------------------------------------8<-------------------------------------
> function eping_validaddr($eping_hosttocheck)
> {
> If (ereg("(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)", $eping_hosttocheck))
> {
> return true;
> }
> else
> {
> return false;
> }
> --------------8<-----------------------------------------8<-------------------------------------
>
> I am sorry but I am a coder and my eyes are bleeding when looking at stuff like that so here is my suggestion for replaceing the if-statement:
> if(preg_match("/^[0-9]{2,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?\.[0-9]{1,3}?$/", $eping_hosttocheck))
>
Your suggestion would block 1.1.1.1 which is a valid IP, while letting
through 999.999.999.999 which isn't. It's a bad regex for finding valid
IP's.
Implementing an inet_aton()-like function would be several orders of
magnitude faster than a preg_match() and several times more accurate.
> So only IP-Adresses are allowed and no kind of code injection is possible.
>
> And everyone who thinks 'will he ever stop writeing?' will be disappointed:
> The same vulnerability also exists in the eTrace modul from E107. It looks like the same Author of the ePing modul.
> The only difference is the you have to search for 'etrace' instead of 'eping' in the files
>
> Greetings from Germany
> Oliver
>
