osClass 3.6.1: Remote Code Execution via Image File19 Dec 2016 by Robin Peraglie
In todays calendar gift, we present another beautiful chain of vulnerabilities which, in the end, allows an attacker to remotely execute arbitrary PHP code. This time, an attacker can smuggle his PHP payload through a valid image file. The issues were detected by RIPS in the open source marketplace software osClass 3.6.1 used for creating classifieds sites.
RIPS was able to scan the ~156,000 lines of code in just 23 seconds. Looking at the scan results, a high number of vulnerabilities were detected in this project. Especially high-rated vulnerabilities seem to make the race. However, there is no critical-rated vulnerability found on the spot.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available.See RIPS report
In the following, we examine three vulnerabilities:
- Cross-Site Scripting
- File Write
- File Inclusion
By chaining these three vulnerabilities, the exploitation of the cross-site scripting issue leads to remote code execution on a targeted web server.
The cross-site scripting vulnerability can be triggered by an authenticated administrator visiting a malicious link, as demonstrated in our previous posts. Due to the generalized approach of input sanitization for HTML in osClass’s
getParam() function, the parameter
Contrarily, in line 410, the parameter country is sanitized sufficiently by using the
osc_esc_js() function before printing. The problem with the first approach is that an attacker can break out of the quotes because they are not escaped by the
getParam() function, as it can be seen in the following code summaries.
osc_esc_js() escapes the single quotes in line 179 that can be used to break out of the given context for the
Since osClass allows a user by default to upload images via AJAX, an attacker can attach PHP code to the EXIF data in form of an image description. It is important to note that the image must be a valid image, as it will be rotated internally by the application. An example for such a modified image
muschel.jpg can be observed in a hexeditor:
0x050, PHP code is placed into the EXIF data. This will neither corrupt the image data nor its validaty, allowing the execution of the code when
muschel.jpg is included in PHP. By using the url
index.php?page=ajax&action=ajax_upload, an attacker can easily upload certain files, such as images, to the server and the controller returns the name of the newly uploaded file in the response body. Note that the filename is not tainted and there is no possibility to upload PHP files directly. In the following code lines, the upload is found in line 179 and the image rotation in line 180.
The administration module of osClass contains a local file inclusion vulnerability. It is possible to include arbitrary files via the GET parameter
plugin. The following code lines are affected.
Not only that arbitrary files can be included when an administrator visits a malicious link, but also this will install the inclusion persistently in the database, as shown in the following code summary.
Creating the Chain
|2016/11/20||First contact with vendor|
|2016/11/21||Issues fixed in GitHub by vendor|
|2016/12/13||Vendor released fixed version|
RIPS presented a wide range of issues to the analyst of osClass in a short period of time, allowing to choose an escalation chain from these vulnerabilites quickly. Without automated analysis, the detection and chain generation takes a large amount of time. We would like to thank the osClass Team for quickly fixing the reported issues!
Follow us on Twitter to be notified when the next gift of our advent calendar is opened!
APAV Time Table
Disclaimer: The information provided here is for educational purposes only. It is your responsibility to obey all applicable local, state and federal laws. RIPS Technologies GmbH assumes no liability and is not responsible for any misuse or damages caused by direct or indirect use of the information provided.