View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026091 | mantisbt | security | public | 2019-08-28 04:56 | 2019-09-27 02:35 |
Reporter | permanull | Assigned To | atrol | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.22.0 | ||||
Target Version | 2.22.1 | Fixed in Version | 2.22.1 | ||
Summary | 0026091: CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability | ||||
Description | The current code allows an attacker with administrative access to MantisBT to setup configuration options in a way that allows for command injection/command execution against the server. I ended up discovering this while playing a 'penetration testing' challenge that uses an older version of Mantis. There are two different points where this is possible One is the dot_tool config option which gets ingested here; The other is the neato_tool configuration option which is ingested here; Eventually these configuration options get used inside of the "output" function of the graph class here; They are appended to $t_command which is later passed into $t_process = proc_open( $t_command, $t_descriptors, $t_pipes ); Because it's possible for an attacker to control both the config options dot_tool and neato_tool they can easily inject a crafted command such as "echo '<?php phpinfo(); ?>';" where ";" is being used to offset the addition of "-T" and $p_format variable, being performed by the code and avoiding it within the intended command to be executed. I've submitted a request for a CVE of this but have not provided details of exploitation to MITRE yet. | ||||
Steps To Reproduce | Login to mantisbt as an administrator. Type "relationship_graph_enable" into Configuration Option with a value of 1 to enable the graphs. Scroll back down to "Create Configuration Option" Visit: http://mantisbt/workflow_graph_img.php List files in /tmp and find "vulnerable" has been created proving the command injection worked. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Attatched a patch that prevents options 26091-command-execution.patch (964 bytes)
From 52018acd62058d40bcec0b0d1f5f3ee32c856ad2 Mon Sep 17 00:00:00 2001 From: Roland Becker <roland@atrol.de> Date: Wed, 28 Aug 2019 11:39:42 +0200 Subject: [PATCH] Prevent arbitrary command execution of Mantis Administrators Fixes #26091 --- config_defaults_inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 6dc188dd6..516cd520e 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -4361,7 +4361,7 @@ $g_global_settings = array( 'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url', 'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique', - 'impersonate_user_threshold', 'email_retry_in_days' + 'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool' ); /** -- 2.21.0.windows.1 |
|
@permanull can you confirm that the attached patch fixes the issue? |
|
Please let us know the CVE number when you have it. |
|
@atrol That should work, if someone had access to modify the configuration it would obviously still be possible but at that point I guess execution/access is assumed. @dregad Here's the CVE ID CVE-2019-15715 |
|
@atrol It may be worth also implementing escapeshellcmd when looking at the two variables for a more complete fix, https://www.php.net/manual/en/function.escapeshellcmd.php prior to proc_open being executed as there's no instance where I see the user having to put arguments along with the binary path. |
|
This should also be taken into account when using escapeshellcmd or escapeshellarg; My understanding of it however seems as if it wouldn't impact the code in mantis unless proc_open performs some form of escaping which will cancel out the original attempt at doing so, they do provide an alternative escape function though I've personally never been able to bypass the functionality of the original but something to keep in mind considering another escape is used here which I had also looked into but didn't find a way to abuse for the CTF/Pentesting Challenge I was playing. |
|
Don't know if you guys were able to see my previous notes, I'd marked them private. |
|
We can see your private notes, but you would not be able to see our private notes. I think your notes describe another problem and should be discussed in a separate private issue without using private notes. @dregad do you agree? |
|
Looking at the problem described by those notes, the json_url function seems unreachable and is called as a last resort so exploitation of it is very unlikely even if character encoding or etc was off... so from the outside looking in I'd say that patching in that way for that specific function is a waste of time but would still suggest adding an escapeshellcmd to the proc_open where the graph system is vulnerable even though you can trust the user input now with the configuration in the panel having it blacklisted. |
|
@permanull apologies for the delay in taking care of this, I got sidetracked and then forgot about it. As you have already confirmed that @atrol's patch addresses the problem, I'll commit that. Additionally, as an extra safety I'll add escapeshellcmd() call in graphviz_api.php, where the neato & dot tools are being used, even though at this point we could consider these configs' values to be trusted since they can only be set by someone already having access to the server's filesystem. With regards to the use of escapeshellarg() in the url_get() function, this helper API is currently not used in MantisBT core; to my knowledge, only the Source Integration plugin is relying on it. As you correctly point out, shell_exec() is only a last resort. At some point I think we should make curl extension mandatory and get rid of that call. For now, I don't think it's worth taking any action here. |
|
MantisBT: master fc7668c8 2019-08-28 01:39 Committer: dregad Details Diff |
Prevent arbitrary shell command execution Prior to this, Administrators were able to edit 'dot_tool' and 'neato_tool' config options from the Manage Configuration Page These can now only be set in the config_inc.php file. Fixes 0026091, CVE-2019-15715 Signed-off-by: Damien Regad <dregad@mantisbt.org> Original commit message reworded, added CVE reference. |
Affected Issues 0026091 |
|
mod - config_defaults_inc.php | Diff File | ||
MantisBT: master 5fb97960 2019-09-21 08:02 Details Diff |
Escape GraphViz command before calling proc_open() Fixes 0026091, CVE-2019-15715 |
Affected Issues 0026091 |
|
mod - core/graphviz_api.php | Diff File |