gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

2018-01-06T00:00:00
ID PACKETSTORM:145726
Type packetstorm
Reporter Noman Riffat
Modified 2018-01-06T00:00:00

Description

                                        
                                            `# Exploit Title: GPS-SERVER.NET SAAS CMS <=3.0 Multiple Vulnerabilities  
# Exploit Author: Noman Riffat  
# Vendor Homepage: http://www.gps-server.net/  
# Software Link: http://www.gps-server.net/  
# Version: <=3.0  
# Tested on: Linux and Windows  
# CVE : CVE-2017-17097, CVE-2017-17098  
  
GPS-SERVER.NET SAAS CMS Version <=3.0 Suffers from multiple vulnerabilities  
which results in complete takeover of the target remotely.  
  
1. Remote Code Injection (Works until version 3.0)  
  
The writeLog function in fn_common.php in gps-server.net GPS Tracking  
Software (self hosted) through 3.0 allows remote attackers to inject  
arbitrary PHP code via a crafted request that is mishandled during admin  
log viewing. Login, signup and other common incidents are logged into a PHP  
file in /logs/ directory with the given input. For example an attacker can  
use PHP code in password recovery mode instead of email which will be  
injected into the PHP log file.  
  
Demo:  
  
Go to the vulnerable site  
Click recover tab  
Give following code in email field, fill captcha and click submit  
<?php system($_GET[cmd]); ?>  
Unfortunately each and every POST request in the CMS is going through  
function mysql_real_escape_string() which will add slashes behind every  
quote in the payload. So you have to make sure your payload doesn't contain  
any quote. Fortunately, PHP is flexible enough to allow a string without  
having quotes as you can see in above payload it doesn't contain quotes  
around "cmd" but it still works. The shell can then be collected from here  
https://localhost/logs/YYYY_MM_user_access.php  
YYYY=Current Year  
MM=Current Month  
Use the payload carefully. If you messed it up, PHP log file will get  
corrupted and then wait until next month so CMS generates a new log file  
for you :)  
Unfortunately the header of log files only allows admin session to access  
log data which makes it less of a RCE. Code will only be executed if admin  
checks the log files. But fortunately there is another vulnerability  
(explained below) which allows an attacker to hijack admin's account hence  
making the RCE exploitable with 100% success.  
  
2. Password Reset Vulnerability (Tested upto version 2.7)  
  
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset  
procedure that immediately resets passwords upon an unauthenticated  
request, and then sends e-mail with a predictable (date-based) password to  
the admin, which makes it easier for remote attackers to obtain access by  
predicting this new password. This is related to the use of gmdate()  
function for password creation in fn_connect.php.  
  
Demo:  
  
Go to the vulnerable site  
Click recover tab  
Input admin's email, fill captcha and click submit. Now execute following  
PHP code on your local machine immediately.  
  
<?php  
for($seconds=-10;$seconds<10;$seconds++){  
echo substr(hash('sha1',gmdate('d F Y G i s u',  
time()+$seconds)),0,6).'<br>';  
}  
?>  
  
Submitting password reset form and executing above should be done parallel  
to predict password as close as possible. Unfortunately i couldn't make  
full remote exploit because of the captcha in the password reset form. This  
code will predict possible 20 passwords generated in 20 seconds. It might  
not be possible to have synchronized timing on your local machine and  
target's server so this code generates 20 passwords (10 before actual time  
and 10 after). Set your local machine's time as accurate as you can to get  
the perfect combo :)  
Password reset vulnerability is tested up to version 2.7 but doesn't work  
on version 3.0 which means it was fixed somewhere in between version 2.7  
and 3.0 and since the CMS isn't open source so I can't say when it got  
fixed (I only had source code of version 2.5.9 and 2.7). Even though the  
reset vulnerability was patched unintentionally as developers added a  
mid-step in password reset procedure. CMS sends password reset link to the  
admin's email and password is only reset once admin clicks the link. Since  
we don't know when admin is gonna click the link so we can't predict the  
new password.  
  
Mitigation: Update CMS to version 3.1  
  
Give me feedback @nomanriffat :)  
  
`