December 18, 2020 / blog yazısı
Zero Day Hunting Diaries - 2
Dolibarr 12.0.3 Authenticated RCE Vulnerability
Vendor: https://github.com/Dolibarr/dolibarr
Version: 12.0.3
Vulnerability: Code Injection
CVE: CVE-2020-35136
Exploit-Db: https://www.exploit-db.com/exploits/49269
Vulnerability Summary:
Open source ERP-CRM Dolibarr 12.0.3 is vulnerable to authenticated Romote Code Execution Attack. An attacker who has the access the admin dashboard can manipulate the backup function by inserting payload into the file name and thus triggering command injection on target system.
Vulnerability Detail:
Challeng #1: Finding the Vulnerability
When analyzing the Dolibarr app, I realized that it was backing up the files and compresses them. This had to be somehow related to “tar” command.
With this assumption in mind, when I clicked on “Generate Backup” button, I concretely saw that indeed tar command was in action. So, was it possible to inject code?
Challenge #2: Triggering Command Injection:
With the inquiry of command injection, on admin dashboard page http://192.168.0.15/admin/tools/dolibarr_export.php, I clicked on button “Generate Backup” while Gzip option was selected and while Burpsuite was intercepting the traffic.
I tried many different vectors and encodings. Yet I was remained empty handed.
When I analyzed the source code, I realized that escapeshellcmd Php utility command was used to sanitize the input. This function successfully escapes characters such as
#&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and ".
Yet the function here running in the background was “tar” command. Tar command has a special parameter called “–use-compress-program”. It is possible inject bash commands as part of this paramater without violating escapeshellcmd. Thus I was capable of running command shell with the following payload:
.tar –use-compress-program=’nc -nlvp 9999’%20%0a%20%20::%20
This allowed me having a netcat listener.
Challenge #3: Having a command shell:
Once I was about to share my findings with Exploit-db, one of our team members warned me about netcat listener being not interactive shell. I totally forgot and missed the famous “-e” parameter. Yet, hold on; “nc -nlvp 9999 -e cmd.exe” should successfully run on Windows yet “nc -nlvp 9999 -e /bin/bash” was not allowed (bacuase of the slash (/) character being filtered.
A new challenge was again in front of us. Finally we found out we had the possibility of using “-c” parameter, thus “nc -c bash -nlvp 9999” successfully runs.
Fix: The vendor pushed a fix to their github blocking the use of “–“ characters: https://github.com/Dolibarr/dolibarr/commit/4fcd3fe49332baab0e424225ad10b76b47ebcbac After the version 12.0.4 is also published on: https://sourceforge.net/projects/dolibarr/
Disclosure Timeline
10 December 2020 - First Contact
13 December 2020 - Released Dolibarr 12.0.4 (https://sourceforge.net/projects/dolibarr/)
17 December 2020 - Responsible Disclosure
YORUMLAR
YORUM