CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
found by Red Timmy Security
Technical Analysis:
- https://www.exploit-db.com/docs/english/46521-flexpaper-=-2.3.6-remote-code-execution-whitepaper.pdf
Security advisory:
- unknow
- Removing the config files
The file change_config.php of FlexPaper (PHP) doesn't check if the adminsitrator is authentication properly, allowing an attacker to delete arbitrary files on the server:
- The yellow line shows where the check of authentication should be placed
- The red lines show the path taken by an attacker to delete files on the server using the
unlinkPHP function
An attacker can craft a request like this and delete files on the folder of his choice:
POST /flexpaper/php/change_config.php HTTP/1.1
Host: 127.0.0.1:8888
[...]
SAVE_CONFIG=1&SWF_Directory=config/
With this request, an attacker deletes all files on the config directory.
- Setup a new config file
Since all files on the config/ folder are deleted, FlexPaper will think that the application has never been initialized:
Therefore an attacker is able to setup again the FlexPaper. But why ?
- Execute arbitrary command
Inside the setup.php there is a function called pdf2swfEnabled that uses the command exec in PHP with a parameter passed in POST by the user. Since this is the initialisation (check 2.) of FlexPaper there is no authentication.
An attacker can craft a payload like this: ?step=4&PDF2SWF_PATH=id; resulting exec(id; --version 2>&1).
- Getting the output
The attacker can redirect the output of the command inside the a file inside the config folder and make a GET request to read the output:
The check of the authentication has been added at the beginning of the change_config.php
