March 4, 2019
by Federico Fernandez
Often times it’s hard looking for exploits linked to certain CVE’s, they’re near impossible to find, and they usually don’t have a PoC about the vulnerability.
Recently, a Command Injection vulnerability was reported in elFinder, which affects most versions up to 2.1.47. The vulnerability is identified as CVE-2019-9194. It was reported by Thomas Chauchefoin and affects the PHP Connector component.
For this vulnerability reported days ago, I did not find any type of post showing a PoC, so I set out to perform the task of doing it myself. Once more and to be clear: the vulnerability was found and reported by Thomas Chauchefoin, I only took charge of understanding it and creating an exploit for its respective exploitation.
Here, I will show how to perform the process to find the vulnerability and exploit it, for the creation of a functional exploit.
I found that the project has nothing less than 3.180 stars on Github at the moment, that makes it quite popular in my opinion.
And as you can see, through a simple Google Dork you can list a large number of sites that have an installation of elFinder, most of the versions found are vulnerable.
When entering the Github of elFinder, in the readme, I could see in capital letters a message that warned the user about the danger of using versions previous or equal to 2.1.47. As you can see in the releases, the vulnerability was patched quickly in its new version 2.1.48 (Good work of the developers).
Then I went directly to the commits of the repository to see what the changes had been, so I had an idea of where the vulnerability was.
In the commit, it is clearly seen that several modifications were made to the code inside the PHP script elFinderVolumeDriver.class.php, but only one of the changes strongly attracted my attention.
In the previous image, you can see that within the function imgRotate() the variable $path was modified by $quotedPath, which can be seen a bit higher than it is correctly sanitized by using the function escapeshellarg(). So I went directly to the script FinderVolumeDriver.class.php, to look more closely at the code.
The function imgRotate() is responsible for rotating a JPEG image given by the user, for this purpose uses 2 binaries that are installed in the system.
Both are console clients whose function is to transform JPEG images. You can see inside the function imgRotate() the existence of two IF.
The first IF verifies if the binary exiftran is installed in the system, otherwise, it will call the jpegtran binary (if it is installed). The vulnerability requires the existence of the first binary (exiftran) since the variable $path is not properly sanitized and it is necessary to enter in said conditional to exploit the Command Injection correctly.
Now that I knew where and how the vulnerability occurred, it was time to exploit it. To do this, I uploaded a JPEG image with the following name.
test.jpeg;touch $(echo -n 2e2e2f66696c65732f70776e6564|xxd -p -r);echo rce.jpeg
The previous payload is responsible for creating a file named pwned, in the files directory. An encoding of the string “../files/pwned” was done in hexadecimal, since there were problems with the / (slash) in the file name where anything following a slash character was cut off.
Once the image was uploaded, I started to rotate the image so that the Command Injection would occur.
At the time of performing the rotation, the malicious command was injected into the $path variable as follows.
exiftran -i -9 test.jpeg;touch $(echo -n 2e2e2f66696c65732f70776e6564|xxd -p -r);echo rce.jpeg
By reloading the page you can see that the pwned file was created correctly.
To automate the exploitation of the vulnerability, create an exploit written in python that is responsible for creating a simple WebShell in PHP to execute commands on the remote host in a more comfortable way.
Below you can see in a short video how the exploit works. The complete URL where the elFinder is installed must be passed as the first argument.