Disclosure: Greymatter Remote login/pass Disclosure

[This was originally disclosed on the Bugtraq mail list and touched up slightly for style. VulnDB 4081]

Software: Greymatter 1.21c and earlier
Vulnerability: Remote administrator login/password exposure
Vendor Status: Notified [0]

I originally saw this posted on Metafilter [1] and linked to a two line description [2]. As with many other attacks, you can google for a specific file and find vulnerable sites all over. I did a quick check and found 4 vulnerable out of the first 10 google reported back. Anyway, since I have very limited experience with Greymatter (GM), and I have reported one security bug to the author before, I typed up some more notes on the bug. This will be fairly easy to catch using whisker/Nikto if people use default installs (which is common). At the time of this post, Nikto [3] has been updated to look for the existance of Greymatter. The big sign of GM being present is /cgi-bin/gm.cgi .. that is the Greymatter login screen and odds are GM is being run as root. Just getting the password will let you post to the blogger, erase entries, upload files and more. However, there are a lot of CGIs (listed below) associated with the package, many could be vulnerable to the older attacks.

In the past I notified the author of a bug related to the password being stored in cleartext on the server, so that any local user could read it. This was actually discovered looking at the access_log of apache. When rebuilding the GM threads/pages, it will include the login name and password in the HREF. A simple grep of “password” through access_logs, or snooping through the GM install directories will find the administrator login for GM. This prompted me to look at the cause of the HREF, and lead me to note that many of the GM files are mode 666 by default. The author acknowledged the vulnerability and indicated he rarely (if ever) supports the package. Many people are moving to Movable Type [4] which imports GM material and is being actively maintained. Movable Type apparently worries about security more as well. For those still using GM, there is user based support/upgrades/patches available [5]. The Greymatter home page can be found at http://noahgrey.com/greysoft/.

About Greysoft from their page:

Greymatter is the original—and still the world’s most popular—opensource weblogging and journal software. With fully-integrated comments, searching, file uploading and image handling, completely customisable output through dozens of templates and variables, multiple author support, and many other features, Greymatter remains the weblog/journal program of choice for tens of thousands of people around the world.

From the original post about the vulnerability [2]:

How to hack Greymatter driven sites

Just search for a file called “gmrightclick” in google and download a file
called “gmrightclick*.reg” where the stars represent a number. open it and
there you have it: Username and Password for everyone to use.

For those doing pen-testing or looking for the vulnerability, here are a few signs of Greymatter being used:

  • button “powered by greymatter”, links to: http://noahgrey.com/greysoft/
  • text that says “greymatter”
  • default blog string: Posted by @ [Link] [No Comments]
    : Posted by @ [Link] [2 Comments]
  • /cgi-bin/gm.cgi is present and offers login/pass

Here are the CGI’s in greymatter install (w/ default perms):

-rw-rw-rw- 1 root fs 304 Dec 8 04:17 gm-authors.cgi
-rw-rw-rw- 1 root fs 23 Sep 21 23:00 gm-banlist.cgi
-rwxr-xr-x 1 root fs 15571 Jan 12 2001 gm-comments.cgi*
-rw-rw-rw- 1 root fs 409 Sep 22 01:50 gm-config.cgi
-rw-rw-rw- 1 root fs 18 Dec 8 04:17 gm-counter.cgi
-rw-rw-rw- 1 root fs 23873 Dec 8 04:17 gm-cplog.cgi
-rw-rw-rw- 1 root fs 750 Dec 8 04:17 gm-entrylist.cgi
-rwxr-xr-x 1 root fs 10211 Jan 12 2001 gm-karma.cgi*
-rw-rw-rw- 1 root fs 157160 Feb 22 2001 gm-library.cgi
-rw-rw-rw- 1 root fs 20353 Sep 22 03:15 gm-templates.cgi
-rwxr-xr-x 1 root fs 9162 Jan 12 2001 gm-upload.cgi*
-rwxr-xr-x 1 root fs 388772 Feb 22 2001 gm.cgi*

The path to “gmrightclick*” can vary widely. This is user defined but often easy to find just by visiting the GM based blog/site. The default directory is (I believe) /archive/. Others you may often see is /archive/logs/ or /photo/archives/ depending on the GM usage.

What prompts this vulnerability:

If the administrator uses the “Add Bookmarklets” feature to add a link/photo, it will add a new “gmrightclick” file unless they have set the “clear” function in their configuration. After adding a link, they need to hit the “Clear And Exit” button at the bottom of the page. This will remove all “gmrightclickreg” files.

Sites that customize their look/HTML will likely not have an open /archive/ dir. Sites that use “Master Archive” option will not have a browsable /archive/ directory. This will make it difficult to find the file.

‘gmrightclick’ filename examples:
gmrightclick-150003.reg
gmrightclick-215087.reg
gmrightclick-146133.reg
gmrightclick-558618.reg

I assume the number is pseudo random, or based off PID or something else as an obscurity scheme. This WILL help for sites that customize or use ‘master archive’ feature, as it will not let the user enter the /archive/ directory and clearly see the .reg files. You could brute force find this possibly but the gain is minimal. Further, the file can be deleted without hurting functionality so it may not even be there despite brute forcing.

GM is a unix package, but the ‘bookmarklet’ option is an Internet Explorer
feature.

Contents of gmrightclick*reg:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Post To &Greymatter]

@=”javascript:doc=external.menuArguments.document;lt=escape(doc.selection.createRange().text); loglink=escape(doc.location.href);loglinktitle=escape(doc.title); wingm=window.open(‘http://some.site.here.edu/cgi-bin/greymatter/gm.cgi?jericho=gmbmpost&authorname=ADMINNAME&authorpassword=CLEARTEXTPASSWORD&logtext=’+lt+’&loglink=’+loglink+’&loglinktitle=’+loglinktitle,’gmwindow’,’scrollbars=yes,width=660,height=460,left=75,top=75,status=yes,resizable=yes’);wingm.focus();””contexts”=hex:31

Notice the two fields: “authorname” and “authorpassword” above. With this information, you can log in w/ full administrative rights to a GM site.

References:

[0] http://foshdawg.net/forums/viewtopic.php?p=773#773
[1] http://www.metafilter.com/comments.mefi/15039
[2] http://www.dangerousmonkey.com/dangblog/dangarch/00000051.htm
[3] http://www.cirt.net/nikto/
[4] http://www.movabletype.org/
[5] http://foshdawg.net/forums/index.php