GestioIP v3 Authenticated Remote Command Execution #2461
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GestioIP v3 Remote Command Execution
GestioIP v3 (and possibly other versions prior) is susceptible to a remote command execution vulnerability in the ip_checkhost.cgi page. An attacker can craft a special HTTP request to ping an IPv6 address to achieve remote command execution.
Example request with payload:
http://192.168.1.14/gestioip/ip_checkhost.cgi?ip=2607:f0d0:$(echo${IFS}PD9waHAKCiAgcGhwaW5mbygpOwo/Pgo=|base64${IFS}--decode|tee${IFS}phpinfo.php):0000:0000:0000:0000:0004&hostname=fsd&client_id=1&ip_version=
No spaces are allowed, but you can get around this restriction by using ${IFS} in place of spaces. The above payload will create a small PHP script with phpinfo() in it on the root of the application. The total payload size limit is 500 characters max, so there isn't a whole lot of space to play in.
By not specifying an ip_version in the query string, any extra sanitization/checking of the payload does not occur since the application checks explicitly for ipv4 or ipv6 as the values. The address in the query string is passed to the ping6 utility and the command is executed with system().
Disclosure timeline:
Oct 2 – Initial Discovery
Oct 3 – Initial Metasploit Module and Vendor Contact, sent PGP key
Oct 3 – Vendor response with PGP key, details of vuln sent
Oct 3 – Vendor releases patch (http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/)
Vulnerable version available in a base64-encoded flavor in this gist: https://gist.github.com/brandonprry/6826061/raw/b2b024a8eb137cd77785c40c5682f7174c048e25/gistfile1.txt
Should be able to wget the file and pipe into base64 --decode
This vulnerability has been fixed with the following commit:
http://sourceforge.net/p/gestioip/gestioip/ci/ac67be9fce5ee4c0438d27dfa5c1dcbca08c457c/