Wordtrans-web Remote Command Execution Vulnerability Scanit R&D Labs Security Advisory http://www.scanit.net/rd/advisories/ Jun 30, 2008 Filename: SCANIT-2008-003.txt SCANIT ID: SCANIT-2008-003 Published: June 30th, 2008 I. Summary Wordtrans is a free front-end graphical application that allows you to look for words in several dictionaries. It can also translate the word that the user selects with his mouse. The latest Wordtrans version could allow a remote attacker to execute arbitrary code in the server, caused by an input validation error in the wordtrans-web package, which is a PHP-based Web interface for Wordtrans. II. Affected Products This vulnerability affects the wordtrans 1.1pre15 and probably previous versions. III. Details When sending a request without the variable "command" or with an undefined command and any word in the variable "word", the variable "link_options" receives one argument from the user, passed with the "advanced" variable using the POST method. Then, the variable "link_options" is concatenated with the variable "exec_wordtrans". Since "exec_wordtrans" is passed to the function "passthru" without checking for special characters, we can send shell characters like | or ; to execute commands in the machine with privileges of the Web server process when the URL is submitted. This is part of vulnerable script from wordtrans 1.1pre15: ... $exec_wordtrans = $wordtrans . "-d \"$dict\" "; switch ($_GET['command']) { ... default: if ($_POST['word'] != "") { if ($_POST['fullwords']) $exec_wordtrans .= " +w "; else $exec_wordtrans .= " -w "; if ($_POST['casesensitive']) $exec_wordtrans .= " +c "; else $exec_wordtrans .= " -c "; if ($_POST['invertir']) $exec_wordtrans .= " +i "; else $exec_wordtrans .= " -i "; if ($_POST['noacentos']) $exec_wordtrans .= " +g "; else $exec_wordtrans .= " -g "; $link_options = "--html-link-options \"?lang= $lang_case&advanced=".$_POST['advanced']."&\" "; $exec_wordtrans .= $link_options; $exec_wordtrans .= "\"".$_POST['word']."\""; passthru($exec_wordtrans); ... To exploit this vulnerability, the "Magic Quotes" option needs to be unset. But since this option was removed from PHP since version 6.0.0, this is a critical vulnerability. IV. Solution No vendor response. V. Timeline March 10th, 2008 - Vulnerability discovery March 24th, 2008 - First contact attempt June 30th, 2008 - Advisory release VI. Credits This vulnerability was discovered by Scanit's researchers Filipe Balestra and Rodrigo Rubira Branco (BSDaemon) . VII. Contact Scanit's R&D Labs represent Scanit's efforts in security research activities. By keeping track of the newest deffensive and offensive technologies, Scanit's researchers are able to contribute with unpublished works made in-house. This way, by driving the state-of-the-art in computer security, Scanit honors its commitment to stay in the front line of scientific evolution. Reach us at research@scanit.net Visit http://www.scanit.net VIII. Disclaimer The information contained in this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are no warranties regarding the topicality, correctness, completeness or quality of the information provided by this document. Under no circumstances shall the authors be held liable for any direct, indirect, or consequential damages, losses, injuries, or unlawful offences allegedly arising from the use of this information. Copyright 2008 Scanit Middle East FZ/LLC