Thursday October 11, 2021
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Mambo Multiple Vulnerabilities
  3 Multiple Invision Power Board Vulnerabilities
  4 MySQL Eventum Multiple Vulnerabilities
  5 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  6 Geeklog Remote Code Execution
  7 Gallery 2 Multiple Vulnerabilities
  8 XMB Forums Multiple Vulnerabilities
  9 phpRPC Library Remote Code Execution
10 RunCMS Multiple Vulnerabilities
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Archives Research
HAMweather Remote Code Execution
September 30, 2021
Vendor : HAMweather, LLC
URL : http://www.hamweather.com
Version : HAMweather <= 3.9.8.4
Risk : Remote Code Execution


Description:
HAMWeather is a popular weather forecasting software that allows webmasters to display detailed weather forecasts and statistics on their websites. Unfortunately some of the features within HAMweather allow for an attacker to inject arbitrary php into the application and successfully execute arbitrary code. Also, because magic_quotes_gpc and register_globals settings are irrelevant when exploiting this issue it makes it that much easier for an attacker to get a remote shell on the host and possibly mount further attacks on the underlying server. An updated version of HAMweather has been released and all users are encouraged to upgrade as soon as possible.


Arbitrary Code Execution
There are several arbitrary php code execution issues in HAMweather. All of which are a direct result of carelessly using eval function calls. The particular function that seems to be the root of the problem is the do_parse_code() function located in Template.php, and shown below.
Function do_parse_code($expr, $save_file_fh, $pm, &$extra_parse, &$hashes) {
	$expr = $this->parse_line($expr, 0, $save_file_fh, $pm, $extra_parse, $hashes);
	$expr = $this->clean_quotes($expr);
	$expr = preg_replace(array('/\beq\b/','/([^\'\w])ne([^\'\w])/'), array('==', '$1!=$2'), $expr);
	if ($this->debug) {print "
expr=\"$expr\"
\n";} return eval($expr); }

Also, as seen in the above code an attacker may (if allowed by the configurations) append &debug;=1 to the url to actually fine tune their attacks by being able to see the contents being sent to the eval() call.

http://www.example.com/hw3.php?daysonly=0).phpinfo().(

Regardless of configuration settings a url like the one above sent to a vulnerable HAMweather installation would successfully execute the phpinfo() command. However, this could just as easily be any code of the attackers choosing. An updated version of HAMweather has been released and all users should upgrade immediately.


Solution:
The HAMweather development team were very prompt, and released an update for this issue within a few hours of being told about the issue. Users are encouraged to upgrade their HAMweather installations as soon as possible.


Credits:
James Bercegay of the GulfTech Security Research Team