Moderate
CVE-2021-32682
CVE-2021-32682
Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
Add Assessment
Technical Analysis
This CVE represents multiple vulnerabilities found in elFinder which you can read more about here. My assessment will mostly focus on the argument injection vulnerability, as that one is personally the easiest to exploit / gives the best reward out of all of them from an attacker’s perspective (a shell!).
The argument injection vulnerability occurs in the makeArchive() function:
php/elFinderVolumeDriver.class.php from elFinder v2.1.57
6841 protected function makeArchive($dir, $files, $name, $arc) 6842 { 6843 if ($arc['cmd'] === 'phpfunction') { 6844 if (is_callable($arc['argc'])) { 6845 call_user_func_array($arc['argc'], array($dir, $files, $name)); 6846 } 6847 } else { 6848 $cwd = getcwd(); 6849 if (chdir($dir)) { 6850 foreach ($files as $i => $file) { 6851 $files[$i] = '.' . DIRECTORY_SEPARATOR . basename($file); 6852 } 6853 $files = array_map('escapeshellarg', $files); 6854 6855 $cmd = $arc['cmd'] . ' ' . $arc['argc'] . ' ' . escapeshellarg($name) . ' ' . implode(' ', $files); 6856 $this->procExec($cmd, $o, $c); 6857 chdir($cwd); 6858 } else { 6859 return false; 6860 } 6861 } 6862 $path = $dir . DIRECTORY_SEPARATOR . $name; 6863 return file_exists($path) ? $path : false; 6864 }
On line 6855, the archive command is created with the previously-sanitized file name(s) and the user-controlled name variable being passed to escapeshellarg(). escapeshellarg() escapes single quotes and places singles quotes around the string supplied as the argument. Additionally, I found that the name variable is further sanitized via another method. Certain characters like spaces, slashes, +’s, etc. are either removed or replaced with other characters, adding some minor complexity to the exploit. Despite these limitations, when using zip as the archive method, supplying the -TmTT option through the name parameter / variable allows execution of arbitrary commands.
This vulnerability’s impact can vary since elFinder can be used as a standalone web-based file manager and as an underlying file manager for other software. Standalone, elFinder does not require authentication, so exploitation would be quite straightforward. I don’t expect there to be many of these installations on the open internet, so while easy to exploit, this would likely require being on an internal network first.
In cases where elFinder is integrated with other software, this may add to the complexity by requiring auth / admin privileges. For instance, according to the Portswigger article elFinder is used as part of the Wordpress File Manager, but requires access to an admin account to exploit. This is likely the similar case for other software that integrates with elFinder, such as CKEditor, TinyMCE, etc.
While it’s hard to determine just how widespread this vulnerability is, I think most vulnerable elFinder installations are probably behind auth via third-party apps. Whether that’s truly the case or not, a patch for this should be prioritized.
Edit: I selected both unauthenticated and authenticated since this vulnerability can technically be both.
CVSS V3 Severity and Metrics
General Information
Vendors
- std42
Products
- elfinder
Metasploit Modules
References
