View Issue Details

IDProjectCategoryView StatusLast Update
0023173mantisbtinstallationpublic2017-08-04 19:35
Reporteriamsecurity Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status confirmedResolutionopen 
Summary0023173: CVE-2017-12419: Arbitrary File Read inside install.php script
Description

After successful installation of bug tracker, it doesn't remove install.php script because of that attacker can read any file on the remote system through some installation process steps.
The problem is complex and exists inside MySQL server and PHP to MySQL drivers. You can read full details about it in my blog article — http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

Steps To Reproduce

For successful exploitation, you need run special rogue MySQL server and connect to it from a server where you want to read files. Unfortunately, Mantis allow that.
You can find server at my repository — https://github.com/allyshka/Rogue-MySql-Server/blob/master/roguemysql.php

An attacker can go to any step of an installation process.
See at this part of code:

/admin/install.php:

86: # install_state
87: #   0 = no checks done
88: #   1 = server ok, get database information
89: #   2 = check the database information
90: #   3 = install the database
...
95: $t_install_state = gpc_get_int( 'install', 0 );

If you browse to the URL https://mantisbt/admin/install.php?install=3 then you go to the install the database section. Where you can find that part of code.

/admin/install.php:

745: # all checks have passed, install the database
746: if( 3 == $t_install_state ) {
...
765:    <?php
766:        $t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
767: 
768:        $t_db_open = false;

Script try to connect to MySQL server, but you can control $f_hostname variable through HTTP-request parameter hostname.

admin\install.php:

200:    $f_hostname           = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );

https://mantis/admin/install.php?install=3&hostname=127.0.0.1
For testing purposes, I'm trying to read /etc/passw:

Additional Information

This issue potentially affects ALL MantisBT versions running on MySQL / MariaDB, unless they have disabled local_infile

TagsNo tags attached.
Attached Files
etc-passwd-read.jpg (204,126 bytes)   
etc-passwd-read.jpg (204,126 bytes)   

Relationships

related to 0023179 closeddregad Login page no longer warns about 'admin' directory being present 
parent of 0023185 closeddregad Improve doc and notifications when admin dir is present (CVE-2017-12419) 

Activities

dregad

dregad

2017-08-01 06:30

developer   ~0057370

Last edited: 2017-08-01 06:30

Thanks for your report.

As per documentation, after installation the administrator is expected to delete the admin/ directory:

2. Delete the admin folder
For security reasons, the scripts within this directory should not be accessible on a 
live MantisBT site or on any installation that is accessible via the Internet.
Once you have confirmed that the install/upgrade was successful, you should delete this directory 

It would also be the admin's responsibility to prevent local file lookup in their MySQL setup (see MySQL documentation)

I'm not sure if or how we can actually prevent such attack from MantisBT code though. If you have any ideas please let me know.

dregad

dregad

2017-08-03 18:40

developer   ~0057385

I can confirm the exploit, which just tested on my dev box.

Problem is, short of rewriting the whole installer to not rely on GPC parameters to control its state (which is not something I have the bandwidth for right now), I don't know how we could fix it.

As a stopgap measure, I'll improve the documentation, system checks and warnings to better advise administrators of the vulnerability and potential risk.

dregad

dregad

2017-08-03 19:27

developer   ~0057386

@iamsecurity, after a bit of research, I found that by setting mysqli.allow_local_infile = 0 in php.ini, the rogue server is no longer able to retrieve local files. Can you please confirm ?

dregad

dregad

2017-08-04 03:30

developer   ~0057388

MITRE assigned CVE-2017-12419 to this issue [scr370826]

iamsecurity

iamsecurity

2017-08-04 04:32

reporter   ~0057390

@dregad I'll check your fix and it's working for mysqli driver. Thaks for research. There is PDO drivers have disabled LOAD LOCAL by default.

Documentation has good security recommendations about delete admin folder but in my practice, I find many Mantis installations with admin folder exists.
I think about some install.lock file and if exists then install.php script will not work.

dregad

dregad

2017-08-04 05:38

developer   ~0057391

Thanks for your feedback.

in my practice, I find many Mantis installations with admin folder exists

That's true unfortunately; but we can only do so much and system administrators also need to take their responsibilities at some point.

It's worth mentioning that a warning about existence of admin directory used to be shown on login page in older versions of Mantis, but it was removed probably by mistake in 1.3.0 (see 0023179); this will be fixed in the next release, and should encourage administrators to do something about it.

I think about some install.lock file and if exists then install.php script will not work.

That's an interesting approach. Problem is that we may not have write access to the file system, in which case the file would have to be created by the admin so back to square one.
Anyway I'll keep that in mind and discuss the idea with other dev's, we'll see how we could implement it.

dregad

dregad

2017-08-04 18:57

developer   ~0057394

I just pushed several commits to improve the documentation and notifications to administrators about the presence of the admin directory, which hopefully increase awareness about the issue and thus lower the risk of people being vulnerable without knowing it.

I will leave this issue open, since it is not fixed from a Mantis perspective (we rely on user action to protect themselves).

Related Changesets

MantisBT: master-2.5 d6d7dc2d

2017-08-03 12:54

dregad


Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173
Affected Issues
0023173, 0023179, 0023185
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-1.3.x 21a15b88

2017-08-03 12:54

dregad


Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173

Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409
Affected Issues
0023173, 0023179, 0023186
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-2.5 3a7c6f75

2017-08-03 15:39

dregad


Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173
Affected Issues
0023173, 0023185
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File

MantisBT: master-1.3.x 10211c90

2017-08-04 13:45

dregad


Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173

Backported from master-2.5 branch 3a7c6f75bf3c4bc0856ebffe388df9e46ac10e5d

Conflicts:
admin/check/index.php
Affected Issues
0023173, 0023186
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File