osClass 3.6.1: Remote Code Execution via Image File
3 min read
In this blog post, we examine three vulnerabilities that we detected in the open source marketplace software osClass 3.6.1:
By chaining these three vulnerabilities, the exploitation of the cross-site scripting issue leads to remote code execution on a targeted web server.
Contrarily, in line 410, the parameter country is sanitized sufficiently by using the osc_esc_js() function before printing. The problem with the first approach is that an attacker can break out of the quotes because they are not escaped by the getParam() function, as can be seen in the following code summaries.
Only osc_esc_js() escapes the single quotes in line 179 that can be used to break out of the given context for the country_code parameter.
Since osClass allows a user by default to upload images via AJAX, an attacker can attach PHP code to the EXIF data in form of an image description. It is important to note that the image must be a valid image, as it will be rotated internally by the application. An example for such a modified image muschel.jpg can be observed in a hexeditor:
At address 0x050, PHP code is placed into the EXIF data. This will neither corrupt the image data nor its validaty, allowing the execution of the code when muschel.jpg is included in PHP. By using the url index.php?page=ajax&action=ajax_upload, an attacker can easily upload certain files, such as images, to the server and the controller returns the name of the newly uploaded file in the response body. Note that the filename is not tainted and there is no possibility to upload PHP files directly. In the following code lines, the upload is found in line 179 and the image rotation in line 180.
The administration module of osClass contains a local file inclusion vulnerability. It is possible to include arbitrary files via the GET parameter plugin. The following code lines are affected.
Not only that arbitrary files can be included when an administrator visits a malicious link, but also this will install the inclusion persistently in the database, as shown in the following code summary.
Creating the Chain
First contact with vendor
Issues fixed in GitHub by vendor
Vendor released fixed version
We detected a wide range of issues in osClass, allowing to choose an escalation chain from these vulnerabilities. Without automated analysis, the detection and chain generation takes a large amount of time. We would like to thank the osClass Team for quickly fixing the reported issues!