GLPI 9.2.1, Multiple Vulnerabilities – BackBox.org Membership

# Authors: Andrea Ferraris, Raffaele Forte
# Vendor Homepage: http://glpi-project.org
# Version: 9.2.1 and earlier

I. INTRODUCTION
GLPI is the Information Resource-Manager with an additional Administration-Interface. You can use it to build up a database with an inventory for your company (computer, software, printers…). It has enhanced functions to make the daily life for the administrators easier, like a job-tracking-system with mail-notification and methods to build a database with basic information about your network-topology.

II. DESCRIPTION
The web application suffers from multiple vulnerabilities.

1. Remote code execution (CVE-2018-7562)

The application allows an authenticated user to upload file when he/she creates new ticket. This feature is protected using different type of security features like the check on the file’s extension.

Auditing the source code we are able to identify one issue that allows the remote code execution: as we can see in the snippet below, the application uploads and creates a file, though this file is not allowed, and then deletes the file.

[...]
// Unlink file
$val->error = __('Filetype not allowed');
if (file_exists($upload_dir.$val->name)) {
    unlink($upload_dir.$val->name);
}
[...]

This snippet is from the latest version of GLPI (9.2.1) in the file “inc/glpiuploaderhandler.class.php” (method uploadFiles).

All the previous version are affected by the same vulnerability (though the source file is different).

Using this particular behaviour, an attacker is able to trigger a race condition between the “unlink” procedure and getting the file.

Below are the macro-phases of the attack:
1. Login to application and obtain a valid session ID
2. Create two parallels threads.
3. One thread should loop over upload method and try to upload, for example, a php file
4. The other thread should loop trying to retrieve the file, e.g. recalling, with GET method, “/files/_tmp/”
5. Check if the return status is 200 and, in that case, terminate the exploit.

Exploitability

The exploitability of this vulnerability encounters a pratical problem: indeed, even if we are able to retrieve the file BEFORE the unlink procedure, the application deletes the file in a very short time. So we would not be able to get a stable shell and a backdoor in the system.

In order to bypass this limitation we can create a PHP files that drops another PHP file (the real backdoor). This way, the second file should not be deleted by the application.

In the latest version of GLPI this vulnerability is mitigated by the fact that the filename is random-like.

[...]
$pname = $params['name'];
$rand_name = uniqid('', true);
foreach ($_FILES[$pname]['name'] as &$name) {
    $name = $rand_name . $name;
}
[...]

As we can see in the snippet above, the application attaches at the filename a “random prefix”. This way, the probability of retrieving the file without filename is pretty low.

In any case, we consider this behaviour as a vulnerability because:

Looping over the upload method allows to see the file really exists.
PHP manual says about uniqid function: “This function does not create random nor unpredictable strings. This function must not be used for security purposes. Use a cryptographically secure random function/generator and cryptographically secure hash functions to create unpredictable secure IDs.”

With these two considerations we suggest to fix this vulnerability in the latest version too.

Moreover, we are able to create a PoC also on the latest version without the “more entropy” flag.

From 9.1 version and below, this vulnerability can be easily exploited because the filename is well known (set by the attacker).

We have created an exploit that allows to spawn a shell for the previous versions:

https://github.com/bowline90/RemoteCodeUploadGLPI

2. Cross Site Scripting (CVE-2018-7562)

The application is affected by XSS Vulnerability. An attacker is able to create a malicious URL that if it will be opened by an authenticated user with debug privilege, then the client will execute JavaScript code supplied by the attacker.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim’s session token or login credentials, performing arbitrary actions on the victim’s behalf, and logging their keystrokes.

PoC:

<URL>/front/preference.php?test%3d%22%3e%3Cscript%3Ealert(1)%3C/script%3E

IV. BUSINESS IMPACT
These flaws may compromise the integrity of the system and/or expose sensitive information. A skilled attacker is able to obtain a shell on the remote server.

V. SYSTEMS AFFECTED
GLPI v9.2.1 is vulnerable and all previous versions.

VI. VULNERABILITY HISTORY
February 19th, 2018: Vulnerability identification
February 28th, 2018: Vendor notification
February 28th 2018: CVE-ID reserved
March 1st, 2018: XSS fix (https://github.com/glpi-project/glpi/pull/3647)

VII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.