osClass 3.6.1: Remote Code Execution via Image File

by robin peraglie|

osclass-remote-code-execution-via-image-file

In this blog post, we examine three vulnerabilities that we detected in the open source marketplace software osClass 3.6.1:

  1. Cross-Site Scripting 
  2. File Write
  3. File Inclusion

By chaining these three vulnerabilities, the exploitation of the cross-site scripting issue leads to remote code execution on a targeted web server.

Cross-Site Scripting

The cross-site scripting vulnerability can be triggered by an authenticated administrator visiting a malicious link. Due to the generalized approach of input sanitization for HTML in osClass’s getParam() function, the parameter country_code is insufficiently secured for a JavaScript context in line 409.

oc-admin/themes/modern/settings/locations.php

408    <script type="text/javascript">
409        show_region('<?php echo Params::getParam('country_code'); ?>',
410        '<?php echo osc_esc_js(Params::getParam('country')); ?>');

Contrarily, in line 410, the parameter country is sanitized sufficiently by using the osc_esc_js() function before printing. The problem with the first approach is that an attacker can break out of the quotes because they are not escaped by the getParam() function, as can be seen in the following code summaries.

oc-includes/osclass/core/Params.php

35    static function getParam($param, $htmlencode = false, $xss_check = true, $quotes_encode = true) {
36        $value = self::_purify(self::$_request[$param], $xss_check);
37        ⋮
38    static private function _purify($value, $xss_check) {
39        ⋮
40        self::$_config = HTMLPurifier_Config::createDefault();
41        self::$_config->set('HTML.Allowed', '');
42        ⋮
43        $value = self::$_purifier->purify($value);
44        ⋮
45        return $value;

oc-includes/osclass/helpers/hSanitize.php

175    function osc_esc_js($str) {
176        ⋮
177        $str = strip_tags($str, $sNewLines);
178        $str = str_replace("\r", '', $str);
179        $str = addslashes($str);
180        $str = str_replace("\n", '\n', $str);
181        $str = str_replace($aNewLines, '\n', $str);
182        return $str;

Only osc_esc_js() escapes the single quotes in line 179 that can be used to break out of the given context for the country_code parameter.

File Write

Since osClass allows a user by default to upload images via AJAX, an attacker can attach PHP code to the EXIF data in form of an image description. It is important to note that the image must be a valid image, as it will be rotated internally by the application. An example for such a modified image muschel.jpg can be observed in a hexeditor:

1  0000000: ffd8 ffe0 0010 4a46 4946 0001 0101 0060  ......JFIF.....`
2  0000010: 0060 0000 ffe1 00a8 4578 6966 0000 4949  .`......Exif..II
3  0000020: 2a00 0800 0000 0300 0e01 0200 6e00 0000  *...........n...
4  0000030: 3200 0000 2801 0300 0100 0000 0200 0000  2...(...........
5  0000040: 1302 0300 0100 0000 0100 0000 0000 0000  ................
6  0000050: 3c3f 7068 7020 6563 686f 2073 6865 6c6c  <?php echo shell
7  0000060: 5f65 7865 6328 2770 7764 3b6c 7320 2d6c  _exec('pwd;ls -l
8  0000070: 6127 293b 203f 3e48 494a 4b4c 4d4e 4f50  a'); ?>HIJKLMNOP
9  0000080: 5152 5354 5556 5758 595a 3241 4243 4445  QRSTUVWXYZ2ABCDE
10 0000090: 4647 4d4e 4f50 5152 5354 5556 5758 595a  FGMNOPQRSTUVWXYZ
11 00000a0: 3341 4243 4445 4647 4849 4a4b 4c4d 4e4f  3ABCDEFGHIJKLMNO
12 00000b0: 5051 5253 5455 5657 5859 5a31 3400 ffdb  PQRSTUVWXYZ14...
13 00000c0: 0043 0001 0101 0101 0101 0101 0101 0101  .C..............
14 00000d0: 0101 0101 0101 0101 0101 0101 0101 0101  ................
15 00000e0: 0101 0101 0101 0101 0101 0101 0101 0101  ................
16 00000f0: 0101 0101 0101 0101 0101 0101 0101 0101  ................
17 0000100: 0101 01ff db00 4301 0101 0101 0101 0101  ......C.........
18 0000110: 0101 0101 0101 0101 0101 0101 0101 0101  ................
19 0000120: 0101 0101 0101 0101 0101 0101 0101 0101  ................
20 0000130: 0101 0101 0101 0101 0101 0101 0101 0101  ................
21 0000140: 0101 0101 0101 0101 ffc0 0011 0800 0100  ................
22 0000150: 0103 0122 0002 1101 0311 01ff c400 1500  ..."............
23 0000160: 0101 0000 0000 0000 0000 0000 0000 0000  ................
24 0000170: 000a ffc4 0014 1001 0000 0000 0000 0000  ................
25 0000180: 0000 0000 0000 0000 ffc4 0014 0101 0000  ................
26 0000190: 0000 0000 0000 0000 0000 0000 0000 ffc4  ................
27 00001a0: 0014 1101 0000 0000 0000 0000 0000 0000  ................
28 00001b0: 0000 0000 ffda 000c 0301 0002 1103 1100  ................
29 00001c0: 3f00 bf80 01ff d9                        ?......

At address 0x050, PHP code is placed into the EXIF data. This will neither corrupt the image data nor its validaty, allowing the execution of the code when muschel.jpg is included in PHP. By using the url index.php?page=ajax&action=ajax_upload, an attacker can easily upload certain files, such as images, to the server and the controller returns the name of the newly uploaded file in the response body. Note that the filename is not tainted and there is no possibility to upload PHP files directly. In the following code lines, the upload is found in line 179 and the image rotation in line 180.

oc-includes/osclass/controller/ajax.php

175    case 'ajaxupload':
176        ⋮
177        $original = pathinfo($uploader->getOriginalName());
178        $filename = uniqid("qqfile").".".$original['extension'];
179        $result = $uploader->handleUpload(osc_content_path().'uploads/temp/'.$filename);
180        $img = ImageResizer::fromFile(osc_content_path().'uploads/temp/'.$filename)->autoRotate();
181        $img->saveToFile(osccontentpath().'uploads/temp/auto'.$filename, $original['extension']);
182        $result['uploadName'] = 'auto'.$filename;
183        echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
184        break;

File Inclusion

The administration module of osClass contains a local file inclusion vulnerability. It is possible to include arbitrary files via the GET parameter plugin. The following code lines are affected.

oc-admin/plugins.php

33    switch ($this->action) {
34        ⋮
35        case 'error_plugin':
36            ⋮
37            include( osc_plugins_path() . Params::getParam('plugin') );
38            Plugins::install(Params::getParam('plugin'));

Not only that arbitrary files can be included when an administrator visits a malicious link, but also this will install the inclusion persistently in the database, as shown in the following code summary.

oc-includes/osclass/classes/Plugins.php

207    static function install($path) {
208        $data['s_value'] = osc_installed_plugins();
209        $plugins_list    = unserialize($data['s_value']);
210        ⋮
211        $plugins_list[]  = $path;
212        osc_set_preference('installed_plugins', serialize($plugins_list));

Creating the Chain

By using the cross-site scripting vulnerability as an actuator, it is possible to prepare a link with a JavaScript payload that in the end automatically executes arbitrary PHP code on the targeted osClass web server. When an authenticated administrator opens the prepared link, the attached JavaScript code is reflected and executed in his browser, rides the administrator session to upload a malicious image with ajax, and then includes this image into PHP via the file inclusion vulnerability.

Timeline

Date What
2016/11/20 First contact with vendor
2016/11/21 Issues fixed in GitHub by vendor
2016/12/13 Vendor released fixed version

Summary

We detected a wide range of issues in osClass, allowing to choose an escalation chain from these vulnerabilities. Without automated analysis, the detection and chain generation takes a large amount of time. We would like to thank the osClass Team for quickly fixing the reported issues!

Related Posts