View Issue Details

IDProjectCategoryView StatusLast Update
0026091mantisbtsecuritypublic2019-09-27 02:35
Reporterpermanull Assigned Toatrol  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.22.0 
Target Version2.22.1Fixed in Version2.22.1 
Summary0026091: CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability
Description

The current code allows an attacker with administrative access to MantisBT to setup configuration options in a way that allows for command injection/command execution against the server. I ended up discovering this while playing a 'penetration testing' challenge that uses an older version of Mantis.

There are two different points where this is possible

One is the dot_tool config option which gets ingested here;
https://github.com/mantisbt/mantisbt/blob/086f31048ccc882ebbd56c329dc66a7fd329a0a3/workflow_graph_img.php#L53

The other is the neato_tool configuration option which is ingested here;
https://github.com/mantisbt/mantisbt/blob/086f31048ccc882ebbd56c329dc66a7fd329a0a3/core/relationship_graph_api.php#L160

Eventually these configuration options get used inside of the "output" function of the graph class here;
https://github.com/mantisbt/mantisbt/blob/380fc71029341faae4cbe8dee181be28ba124031/core/graphviz_api.php#L355

They are appended to $t_command which is later passed into $t_process = proc_open( $t_command, $t_descriptors, $t_pipes );

Because it's possible for an attacker to control both the config options dot_tool and neato_tool they can easily inject a crafted command such as "echo '<?php phpinfo(); ?>';" where ";" is being used to offset the addition of "-T" and $p_format variable, being performed by the code and avoiding it within the intended command to be executed.

I've submitted a request for a CVE of this but have not provided details of exploitation to MITRE yet.

Steps To Reproduce

Login to mantisbt as an administrator.
Navigate to Manage->Manage Configuration->Configuration Report.
Scroll down to "Create Configuration Option"

Type "relationship_graph_enable" into Configuration Option with a value of 1 to enable the graphs.
Hit "Create Configuration Option"

Scroll back down to "Create Configuration Option"
Type "dot_tool" into Configuration Option with a value of "touch /tmp/vulnerable;"
Hit "Create Configuration Option"

Visit: http://mantisbt/workflow_graph_img.php

List files in /tmp and find "vulnerable" has been created proving the command injection worked.

TagsNo tags attached.

Relationships

has duplicate 0026162 closeddregad CVE-2019-15715: Command Execution / Injection Vulnerability 

Activities

atrol

atrol

2019-08-28 05:47

developer   ~0062672

Attatched a patch that prevents options neato_tool and dot_tool from being set in database.

26091-command-execution.patch (964 bytes)   
From 52018acd62058d40bcec0b0d1f5f3ee32c856ad2 Mon Sep 17 00:00:00 2001
From: Roland Becker <roland@atrol.de>
Date: Wed, 28 Aug 2019 11:39:42 +0200
Subject: [PATCH] Prevent arbitrary command execution of Mantis Administrators

Fixes #26091
---
 config_defaults_inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 6dc188dd6..516cd520e 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -4361,7 +4361,7 @@ $g_global_settings = array(
 	'ldap_simulation_file_path', 'plugin_path', 'bottom_include_page', 'top_include_page',
 	'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'wiki_engine_url',
 	'cdn_enabled', 'public_config_names', 'email_login_enabled', 'email_ensure_unique',
-	'impersonate_user_threshold', 'email_retry_in_days'
+	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool'
 );
 
 /**
-- 
2.21.0.windows.1

atrol

atrol

2019-08-28 05:49

developer   ~0062673

@permanull can you confirm that the attached patch fixes the issue?

dregad

dregad

2019-08-28 06:09

developer   ~0062674

Please let us know the CVE number when you have it.

permanull

permanull

2019-08-28 13:43

reporter   ~0062675

@atrol That should work, if someone had access to modify the configuration it would obviously still be possible but at that point I guess execution/access is assumed.

@dregad Here's the CVE ID CVE-2019-15715

permanull

permanull

2019-08-28 13:47

reporter   ~0062676

@atrol It may be worth also implementing escapeshellcmd when looking at the two variables for a more complete fix, https://www.php.net/manual/en/function.escapeshellcmd.php prior to proc_open being executed as there's no instance where I see the user having to put arguments along with the binary path.

permanull

permanull

2019-08-28 14:01

reporter   ~0062677

This should also be taken into account when using escapeshellcmd or escapeshellarg;
https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36

My understanding of it however seems as if it wouldn't impact the code in mantis unless proc_open performs some form of escaping which will cancel out the original attempt at doing so, they do provide an alternative escape function though I've personally never been able to bypass the functionality of the original but something to keep in mind considering another escape is used here which I had also looked into but didn't find a way to abuse for the CTF/Pentesting Challenge I was playing.

https://github.com/mantisbt/mantisbt/blob/086f31048ccc882ebbd56c329dc66a7fd329a0a3/core/url_api.php#L77

permanull

permanull

2019-08-29 13:50

reporter   ~0062684

Don't know if you guys were able to see my previous notes, I'd marked them private.

atrol

atrol

2019-08-29 14:14

developer   ~0062685

We can see your private notes, but you would not be able to see our private notes.
So it makes no sense to communicate this way.

I think your notes describe another problem and should be discussed in a separate private issue without using private notes.
After that I will remove your private notes, so no one will see them after the issue is set to public.
At the moment, I am not sure if it's needed / makes sense to fix the problem that is described in your private notes.

@dregad do you agree?

permanull

permanull

2019-08-29 14:22

reporter   ~0062687

Looking at the problem described by those notes, the json_url function seems unreachable and is called as a last resort so exploitation of it is very unlikely even if character encoding or etc was off... so from the outside looking in I'd say that patching in that way for that specific function is a waste of time but would still suggest adding an escapeshellcmd to the proc_open where the graph system is vulnerable even though you can trust the user input now with the configuration in the panel having it blacklisted.

dregad

dregad

2019-09-21 12:00

developer   ~0062870

Last edited: 2019-09-21 12:01

View 2 revisions

@permanull apologies for the delay in taking care of this, I got sidetracked and then forgot about it.

As you have already confirmed that @atrol's patch addresses the problem, I'll commit that. Additionally, as an extra safety I'll add escapeshellcmd() call in graphviz_api.php, where the neato & dot tools are being used, even though at this point we could consider these configs' values to be trusted since they can only be set by someone already having access to the server's filesystem.

With regards to the use of escapeshellarg() in the url_get() function, this helper API is currently not used in MantisBT core; to my knowledge, only the Source Integration plugin is relying on it. As you correctly point out, shell_exec() is only a last resort. At some point I think we should make curl extension mandatory and get rid of that call. For now, I don't think it's worth taking any action here.

Related Changesets

MantisBT: master fc7668c8

2019-08-28 05:39:42

atrol


Committer: dregad Details Diff
Prevent arbitrary shell command execution

Prior to this, Administrators were able to edit 'dot_tool' and
'neato_tool' config options from the Manage Configuration Page

These can now only be set in the config_inc.php file.

Fixes 0026091, CVE-2019-15715

Signed-off-by: Damien Regad <dregad@mantisbt.org>

Original commit message reworded, added CVE reference.
Affected Issues
0026091
mod - config_defaults_inc.php Diff File

MantisBT: master 5fb97960

2019-09-21 12:02:59

dregad

Details Diff
Escape GraphViz command before calling proc_open()

Fixes 0026091, CVE-2019-15715
Affected Issues
0026091
mod - core/graphviz_api.php Diff File

Issue History

Date Modified Username Field Change
2019-08-28 04:56 permanull New Issue
2019-08-28 05:47 atrol File Added: 26091-command-execution.patch
2019-08-28 05:47 atrol Note Added: 0062672
2019-08-28 05:49 atrol Note Added: 0062673
2019-08-28 05:51 atrol Status new => confirmed
2019-08-28 05:51 atrol Target Version => 2.22.1
2019-08-28 06:09 dregad Note Added: 0062674
2019-08-28 13:43 permanull Note Added: 0062675
2019-08-28 13:47 permanull Note Added: 0062676
2019-08-28 14:01 permanull Note Added: 0062677
2019-08-29 13:50 permanull Note Added: 0062684
2019-08-29 14:14 atrol Note Added: 0062685
2019-08-29 14:16 atrol Summary [Admin Required - Post Authentication] Command Execution / Injection Vulnerability => CVE-2019-15715: [Admin Required - Post Authentication] Command Execution / Injection Vulnerability
2019-08-29 14:22 permanull Note Added: 0062687
2019-09-21 11:11 dregad Note View State: 0062675: public
2019-09-21 11:12 dregad Note View State: 0062676: public
2019-09-21 11:12 dregad Note View State: 0062677: public
2019-09-21 12:00 dregad Note Added: 0062870
2019-09-21 12:01 dregad Note Edited: 0062870 View Revisions
2019-09-21 12:13 dregad Issue cloned: 0026162
2019-09-21 12:13 dregad Relationship added has duplicate 0026162
2019-09-21 12:18 dregad Changeset attached => MantisBT master fc7668c8
2019-09-21 12:18 dregad Changeset attached => MantisBT master 5fb97960
2019-09-21 12:18 dregad Assigned To => dregad
2019-09-21 12:18 dregad Status confirmed => resolved
2019-09-21 12:18 dregad Resolution open => fixed
2019-09-21 12:18 dregad Fixed in Version => 2.23.0
2019-09-21 12:38 atrol Fixed in Version 2.23.0 => 2.22.1
2019-09-26 16:40 atrol Assigned To dregad => atrol
2019-09-27 02:35 dregad View Status private => public
2019-09-27 02:35 dregad Status resolved => closed