CVE-2013-6225: Remote Code Execution in LiveZillaDate: 2013-11-15 08:33:44
|Affected Product:||LiveZilla version 18.104.22.168|
|Fixed Version Link:||https://www.livezilla.net/downloads/pubfiles/LiveZilla_22.214.171.124_Full.exe|
|Vulnerability Type:||Remote Code Execution / Local File Inclusion|
|Reported to vendor:||18.10.2013|
|Disclosed to public:||15.11.2013|
|Release mode:||Coordinated release|
2. Vulnerability Description
Inside the file ‘mobile/php/translation/index.php’ the following code can be found:
The ‘g_language’ GET parameter is not validated before using it in a php require function call. This allows to include files that are stored on a windows server. It is, in this case, not possible to include files, if the php application is running on a linux server because ‘/langmobile’+ the language is not a directory and therefore cannot be traversed. In recent PHP versions null bytes are blocked. This means that in this case only files with the PHP extension can be included. Older PHP versions will allow null bytes in the URL and therefore allow Remote Code Execution attacks involving httpd log files or /proc/pid/environ and other techniques to transform this Local File Inclusion into a full Remote Code Execution on Windows and Linux.
On Windows systems with PHP versions installed that allow null bytes in the URL it is possible to turn this local file inclusion vulnerability to a full remote code execution vulnerability. This can be done by traversing directories and accessing the apache log file with having the injected the string that follows using a GET request into the log file. As the screendump shows full code execution in this case executing calc.exe on windows is possible.
A working exploit for this vulnerability is found in the Appendix of this documents. The error.log or access.log path has to be known prior to running the exploit.
3. Proof of Concept Codes:
Code execution URL sample:
Download and install latest version:
5. Report Timeline
|18.10.2013||Informed Vendor about Issue|
|12.11.2013||Vendor informed Curesec about the new version|
|15.11.2013||Disclosed to public.|