Moderate
CVE-2021-32682
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-32682
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
This CVE represents multiple vulnerabilities found in elFinder which you can read more about here. My assessment will mostly focus on the argument injection vulnerability, as that one is personally the easiest to exploit / gives the best reward out of all of them from an attacker’s perspective (a shell!).
The argument injection vulnerability occurs in the makeArchive()
function:
php/elFinderVolumeDriver.class.php
from elFinder v2.1.57
6841 protected function makeArchive($dir, $files, $name, $arc) 6842 { 6843 if ($arc['cmd'] === 'phpfunction') { 6844 if (is_callable($arc['argc'])) { 6845 call_user_func_array($arc['argc'], array($dir, $files, $name)); 6846 } 6847 } else { 6848 $cwd = getcwd(); 6849 if (chdir($dir)) { 6850 foreach ($files as $i => $file) { 6851 $files[$i] = '.' . DIRECTORY_SEPARATOR . basename($file); 6852 } 6853 $files = array_map('escapeshellarg', $files); 6854 6855 $cmd = $arc['cmd'] . ' ' . $arc['argc'] . ' ' . escapeshellarg($name) . ' ' . implode(' ', $files); 6856 $this->procExec($cmd, $o, $c); 6857 chdir($cwd); 6858 } else { 6859 return false; 6860 } 6861 } 6862 $path = $dir . DIRECTORY_SEPARATOR . $name; 6863 return file_exists($path) ? $path : false; 6864 }
On line 6855
, the archive command is created with the previously-sanitized file name(s) and the user-controlled name
variable being passed to escapeshellarg()
. escapeshellarg()
escapes single quotes and places singles quotes around the string supplied as the argument. Additionally, I found that the name
variable is further sanitized via another method. Certain characters like spaces, slashes, +
’s, etc. are either removed or replaced with other characters, adding some minor complexity to the exploit. Despite these limitations, when using zip
as the archive method, supplying the -TmTT
option through the name
parameter / variable allows execution of arbitrary commands.
This vulnerability’s impact can vary since elFinder can be used as a standalone web-based file manager and as an underlying file manager for other software. Standalone, elFinder does not require authentication, so exploitation would be quite straightforward. I don’t expect there to be many of these installations on the open internet, so while easy to exploit, this would likely require being on an internal network first.
In cases where elFinder is integrated with other software, this may add to the complexity by requiring auth / admin privileges. For instance, according to the Portswigger article elFinder is used as part of the Wordpress File Manager, but requires access to an admin account to exploit. This is likely the similar case for other software that integrates with elFinder, such as CKEditor, TinyMCE, etc.
While it’s hard to determine just how widespread this vulnerability is, I think most vulnerable elFinder installations are probably behind auth via third-party apps. Whether that’s truly the case or not, a patch for this should be prioritized.
Edit: I selected both unauthenticated and authenticated since this vulnerability can technically be both.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- std42
Products
- elfinder
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: