-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for CVE-2021-32682 #15658
Conversation
Nice work, @space-r7! |
So I built a test environment for v2.1.58 using docker. With that running, I went to go and exploit the vulnerability. The module identifies that it's vulnerable but fails when attempting to create the archive. Dockerfile
Module Output
|
Thanks for the detailed output! Looks like I need to put in some additional checks to the upload logic, as it seems like neither of the files were uploaded / created. Can you confirm whether the |
Looks like it was a file permissions issue. Made a couple of changes to your Dockerfile and added an additional check in the module to ensure that the file was actually uploaded: DockerfileInstalls
Output
|
Yup, that definitely fixed it. Thanks for your help there. With that sorted out I can see that the exploit is working as intended. I also tried version 2.1.59 and verified that that it's identified as not vulnerable.
I'll have this landed shortly. |
Release NotesThis adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed. |
This adds an exploit module that targets versions <
2.1.59
of the web-based file manager elFinder.When creating a new zip archive, the
name
parameter is sanitized with theescapeshellarg()
php function and then passed to thezip
utility. Despite the sanitization, supplying the-TmTT
argument as part of thename
parameter is still permitted and enables the execution of arbitrary commands as thewww-data
user.Tested on elFinder versions
2.1.57
,2.1.58
, and2.1.59
.Verification
use exploit/linux/http/elfinder_archive_cmd_injection
set RHOST <ip>
set LHOST <ip>
run
Scenarios
v2.1.57
v2.1.59 (Not vulnerable)