December 18, 2020 / blog yazısı

Zero Day Hunting Diaries - 2

Dolibarr 12.0.3 Authenticated RCE Vulnerability

Vendor: https://github.com/Dolibarr/dolibarr

Version: 12.0.3

Vulnerability: Code Injection

CVE: CVE-2020-35136

Exploit-Db: https://www.exploit-db.com/exploits/49269

Vulnerability Summary:

Open source ERP-CRM Dolibarr 12.0.3 is vulnerable to authenticated Romote Code Execution Attack. An attacker who has the access the admin dashboard can manipulate the backup function by inserting payload into the file name and thus triggering command injection on target system.

Vulnerability Detail:

Challeng #1: Finding the Vulnerability

When analyzing the Dolibarr app, I realized that it was backing up the files and compresses them. This had to be somehow related to “tar” command.

With this assumption in mind, when I clicked on “Generate Backup” button, I concretely saw that indeed tar command was in action. So, was it possible to inject code?

Challenge #2: Triggering Command Injection:

With the inquiry of command injection, on admin dashboard page http://192.168.0.15/admin/tools/dolibarr_export.php, I clicked on button “Generate Backup” while Gzip option was selected and while Burpsuite was intercepting the traffic.

I tried many different vectors and encodings. Yet I was remained empty handed.

When I analyzed the source code, I realized that escapeshellcmd Php utility command was used to sanitize the input. This function successfully escapes characters such as

#&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and ".

Yet the function here running in the background was “tar” command. Tar command has a special parameter called “–use-compress-program”. It is possible inject bash commands as part of this paramater without violating escapeshellcmd. Thus I was capable of running command shell with the following payload:

.tar –use-compress-program=’nc -nlvp 9999’%20%0a%20%20::%20

This allowed me having a netcat listener.

Challenge #3: Having a command shell:

Once I was about to share my findings with Exploit-db, one of our team members warned me about netcat listener being not interactive shell. I totally forgot and missed the famous “-e” parameter. Yet, hold on; “nc -nlvp 9999 -e cmd.exe” should successfully run on Windows yet “nc -nlvp 9999 -e /bin/bash” was not allowed (bacuase of the slash (/) character being filtered.

A new challenge was again in front of us. Finally we found out we had the possibility of using “-c” parameter, thus “nc -c bash -nlvp 9999” successfully runs.

Fix: The vendor pushed a fix to their github blocking the use of “–“ characters: https://github.com/Dolibarr/dolibarr/commit/4fcd3fe49332baab0e424225ad10b76b47ebcbac After the version 12.0.4 is also published on: https://sourceforge.net/projects/dolibarr/

Disclosure Timeline

10 December 2020 - First Contact

13 December 2020 - Released Dolibarr 12.0.4 (https://sourceforge.net/projects/dolibarr/)

17 December 2020 - Responsible Disclosure