RCE achieved by smuggling web shell into WiFi network comment
Security researchers discovered that the backup feature of GLPI, an open source IT asset management app, was vulnerable to a long dormant, critical vulnerability that laid undiscovered for more than 10 years.
All versions of GLPI released since the software was first put together in 2010 are vulnerable to a remote code execution flaw (CVE-2020-11060) that became exposed through a backup feature.
The vulnerability – discovered by a security researcher at French consultancy Almond – would have been tricky to exploit even before a recently issued patch.
Rather than focusing on its seriousness, however, the point of interest in the web security flaw stems from its arcane source and complexity.
Under the microscope
GLPI was put together by a French developer and widely used by enterprises, especially in France.
During an engagement for one of Almond’s clients, the researcher, who operates under the moniker @myst404, discovered static encryption key vulnerability (CVE-2020-5248) in GLPI, as explained in an advisory from the consultancy.
The flaw arose because GLPI used a hard-coded, static cryptographic key to encrypt sensitive data.
This meant, for example, that the LDAP password used for external authentication is stored encrypted in the database with the static key.
Polyglot files and web shells
The cryptographic flaw – resolved by a recent version 9.4.6 update from GLPI – led @myst404 to look more closely at the security of the technology, an exercise that allowed him to uncover a far more interesting web security flaw.
As explained in a technical write-up, the Almond researcher discovered that “an arbitrary path and a hashed path disclosure can be abused to execute code on a GLPI host, by creating a PHP/GZIP polyglot file”.
Almond’s researchers developed an exploitation method for the somewhat obscure security flaw that uses a technician account to achieve remote code execution (RCE) through a “specially-crafted gzip/php web shell in a WiFi network comment”.
The attack relies, in part, on a cross-site request forgery (CSRF) security flaw.
RECOMMENDED Polymorphic payloads: New image processing test suite snags Google Scholar
The vulnerability has been patched with the release of GLPI v9.4.6.
In an advisory, GLPI’s developers acknowledged the backup-related security flaw while downplaying its significance.
“An attacker can execute system commands by abusing the backup functionality,” the developers state.
“Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF.”
The developers conclude: “Due to the difficulty of the exploitation, the attack is only conceivable by an account having maintenance privileges and the right to add WiFi networks.”
Far from trivial
Almond’s researchers agreed that the backup-related vulnerability is far from trivial to exploit.
“It was a bit hard to exploit, but since the release of the article/PoC there should be no problem to reproduce the issue, for an attacker having maintenance privileges and the right to add WiFi networks,” @myste404 told The Daily Swig.
“The technician profile has these privileges and is created by default along with the default associated user tech (password: ‘tech’). Of course, the admin GLPI account also has these privileges.”
“However, the vulnerability is still very hard to exploit, but theoretically possible, for an attacker without any valid account,” he concluded.
READ MORE XSS vulnerability in ‘Login with Facebook’ button earns $20,000 bug bounty