exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Clickheat 1.13 Remote Command Execution

Clickheat 1.13 Remote Command Execution
Posted May 19, 2015
Authored by Calum Hutton

Clickheat version 1.13 suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 300ce9838bd8a669889600e36ca5c0dafd090928c0e4b644dfa8cac24db9a8a8

Clickheat 1.13 Remote Command Execution

Change Mirror Download
Clickheat 1.13+ Unauthenticated RCE
-----------------------------------

The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently and the project seems to be in an abandoned state.

I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver.
 
For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration.
 
The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs:
 
[Tue May 12 13:36:27.068012 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] AH01215: usage: ./parseClickLogs.pl apache_logs_file dest_path [domain_ignored]
[Tue May 12 13:36:27.070133 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] End of script output before headers: parseClickLogs.pl
 
Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s.
 
In the script, on line 48 is a vulnerable open() command:
 
open(LOGFILE, $srcFile) or die("Impossible d'ouvrir le fichier ".$srcFile);
 
The open() command is vulnerable because the $srcFile parameter has not been sanitized in any way, it is simply the first parameter passed into the script. Also the open() command has not been explicitly set for input only, meaning its behavior can be manipulated by appending a pipe (|) symbol to input parameters. See here for discussion: http://www.cgisecurity.com/lib/sips.html.
 
POC
----
The following POC shows how to gain access to the Clickheat configuration data by copying /clickheat/config/config.php to a plain text file for viewing.
 
- Copy config.php using arbitrary commands on the server:
GET /clickheat/scripts/parseClickLogs.pl?cp ../config/config.php conf.txt|+two
 
- View newly created copy of config.php (\ is appended to the filename)
GET /clickheat/scripts/conf.txt\
 
Mitigation
----------
A simple mitigation would be to either remove this script if it is not required by the core functionality of Clickheat, or move it outside of the publicly accessible HTML path. You could also explicitly set the open() to only allow for input, such as:
 
open(LOGFILE, "<$srcFile") or die("Impossible d'ouvrir le fichier ".$srcFile);


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close