Dashboard

Remote Code Execution

Severity: High
Bug ID: 670
Researcher: zoczus
Status: Disclosed
Submitted: 05/06/2015

Description:

Remote Code Execution in file uploads

Affected URL:

https://crowdshield.com

Affected Params:

M/A

Bug Evidence:

Hi,

I've just found RCE bug in your server. 

https://crowdshield.com/uploads/rce.php.jpg - this one executes normally, as php. :-) 

Code:
<?php
system("uname -a");
phpinfo();
?>



Bug Recommendation:

Not sure how your /etc/mime.types looks like but if there's no jpg extension Apache can probably behave just like this. Waiting for some feedback and bounty. :) Have a nice day! Jakub Zoczek

Direct Chat

18
zoczus 05/06/2015
Message User Image
submitted a Remote Code Execution bug to CrowdShield
CrowdShield 05/06/2015
Message User Image
Thanks for letting us know... looking at this ASAP!
zoczus 05/06/2015
Message User Image
Thanks a lot! I played a bit with rce2.php.jpg just for checking the /etc/mime.types , enabled apache mods and this stuff (all was sent by GET requests so you can check commands executed by me in access log), didn't tried to disclose source code, passwords, and so on - nothing evil happened from my side. ;-) Waiting for update, have a nice day!
CrowdShield 05/06/2015
Message User Image
hmm. /etc/mime.types reports: image/jpeg jpeg jpg jpe so it appears there is a mime type set... not sure why this working. Acknowledging the bug now though. Thanks for the heads up. Also refrain from running any further commands until we fix please.
CrowdShield 05/06/2015
Message User Image
awarded 50 points to zoczus for a Remote Code Execution bug
zoczus 05/06/2015
Message User Image
Sure, I won't execute anything. I saw that /etc/mime.types are ok, it also doesn't work on my Kali instance... maybe some strange .htaccess or mods enabled?
CrowdShield 05/06/2015
Message User Image
Found this... looks like this may be the issue... https://core.trac.wordpress.org/ticket/11122
zoczus 05/06/2015
Message User Image
Yup, but still no idea why this occurs ;-) I'll do my best to investigate this
CrowdShield 05/06/2015
Message User Image
Actually, I implemented a workaround/fix in the upload form itself. Can you please re-check to see if this is fixed now?
zoczus 05/06/2015
Message User Image
Still vulnerable - fresh php file uploaded: http://crowdshield.com/uploads/hithere.php.jpg
CrowdShield 05/06/2015
Message User Image
Okay, looks like the core issue still exists that double extensions are being handled by PHP... :/
zoczus 05/06/2015
Message User Image
Maybe you should check how your mod_php config looks like? Maybe there are some strange available php extensions available (some regexp based or I don't know :P)
CrowdShield 05/06/2015
Message User Image
Okay, I think I have a fix now. The file upload form will now check for double extensions and prevent uploads if there is more than one extension in the filename.
zoczus 05/06/2015
Message User Image
"Normal" double extension won't work, you're right. But I'll try to work on bypass later. BTW - any bounty for this one? Kinda critical ;)
CrowdShield 05/06/2015
Message User Image
Thanks for confirming... I wish we could pay you something for your contribution and I agree on the severity but it's not feasible at this time for us to offer any paid bounties and not part of our terms and agreement. However, our plan as we grow, is to get to a point where we can sustain a "paid" bounty model while supporting the site costs and other overhead costs. Until then, we do our best to acknowledge researchers, help build their reputation online and offer points on our leaderboard. Hope you understand.
CrowdShield 05/06/2015
Message User Image
fixed a Remote Code Execution bug submitted by zoczus
zoczus 05/06/2015
Message User Image
Of course I get it, no problem. :) Thanks!
CrowdShield 06/24/2015
Message User Image
disclosed a Remote Code Execution bug submitted by zoczus

Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed