{"id":4434,"date":"2022-03-17T17:11:47","date_gmt":"2022-03-17T16:11:47","guid":{"rendered":"https:\/\/www.vaadata.com\/blog\/?p=4434"},"modified":"2022-12-12T14:59:34","modified_gmt":"2022-12-12T13:59:34","slug":"rce-vulnerability-in-a-file-name","status":"publish","type":"post","link":"https:\/\/www.vaadata.com\/blog\/rce-vulnerability-in-a-file-name\/","title":{"rendered":"RCE vulnerability in a file name"},"content":{"rendered":"
\n
\"RCE<\/figure>\n<\/div>\n\n\n

During our security audits, we are regularly confronted with vulnerabilities that allow commands to be executed on a system. These can take various forms depending on the type of application and the functionality impacted. You will find in this article an example of a RCE vulnerability<\/strong> encountered during a penetration test of a web application<\/a> coded in PHP.<\/p>\n\n\n\n\n\n\n\n\n\n

What is a RCE (Remote Code Execution)?<\/h2>\n\n\n\n

In computer security, arbitrary code execution (ACE)<\/a> is the ability of an attacker to execute any command or code of his choice on a target machine or in a target process. The ability to trigger an arbitrary code execution over a network (especially via a wide area network such as the internet) is often referred to as remote code execution, or RCE.<\/p>\n\n\n\n

A RCE is particularly dangerous, as it often provides privileged access to a system.<\/strong> For example, a RCE vulnerability on a web application will often allow to execute commands on the server that hosts it and therefore to break into it. This will give the attacker access to all or part of the server’s files.<\/p>\n\n\n\n\n\n

Presentation of the RCE vulnerability<\/h2>\n\n\n\n

The purpose of the functionality tested was to allow the user to upload files to a platform so that they can be reused elsewhere. When the uploaded file is an audio or video file, the PHP application will run a command on the server to retrieve the duration of the file and thus be able to communicate it to the user.<\/p>\n\n\n\n

Here is the code (simplified and modified for the example) of the application:<\/p>\n\n\n\n

<?php\n$message = \"\";\nfunction upload($file): string\n{\n    $base_dir = __DIR__ . \"\/..\/upload\/\";\n    $ext = strtolower(pathinfo(\"\/\" . $file[\"name\"], PATHINFO_EXTENSION));\n    $filepath = $base_dir . uniqid() . '.' . $ext;\n    $filetype = mime_content_type($file[\"tmp_name\"]);\n\n    move_uploaded_file($file[\"tmp_name\"], $filepath);\n\n    if (str_starts_with($filetype, \"video\/\") || str_starts_with($filetype, \"audio\/\")) {\n        $command = sprintf(\"ffprobe -i \\\"%s\\\" -show_entries format=duration -v quiet -of csv=\\\"p=0\\\"\", $filepath);\n        $duration = shell_exec($command);\n        return \"Media file of duration \" . $duration . \" uploaded.\";\n    } else {\n        return \"File uploaded\";\n    }\n}\n\nif ($_SERVER[\"REQUEST_METHOD\"] === \"POST\") {\n    $file = $_FILES[\"formFile\"] ?? null;\n    $message = $file === null ? \"Missing file.\" : upload($file);\n}\n?>\n\n<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"UTF-8\">\n    <title>Upload media file<\/title>\n    <link href=\"https:\/\/cdn.jsdelivr.net\/npm\/bootstrap@5.0.2\/dist\/css\/bootstrap.min.css\" rel=\"stylesheet\" integrity=\"sha384-EVSTQN3\/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC\" crossorigin=\"anonymous\">\n<\/head>\n<body>\n\n<div class=\"container\">\n    <header>\n        <h1>Upload media file<\/h1>\n        <hr>\n    <\/header>\n    <div class=\"row justify-content-md-center\">\n        <div class=\"col col-lg-6\">\n            <form action=\"\" method=\"post\" enctype=\"multipart\/form-data\">\n                <div class=\"mb-3\">\n                    <label for=\"formFile\" class=\"form-label\">File to upload<\/label>\n                    <input class=\"form-control\" type=\"file\" name=\"formFile\" id=\"formFile\">\n                <\/div>\n                <div class=\"col-auto\">\n                    <button type=\"submit\" class=\"btn btn-primary mb-3\">Upload<\/button>\n                <\/div>\n\n                <?php if (!empty($message)) { ?>\n                    <div class=\"alert alert-primary\" role=\"alert\">\n                        <?= htmlentities($message, ENT_QUOTES) ?>\n                    <\/div>\n                <?php } ?>\n\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<\/body>\n<\/html>\n<\/code><\/pre>\n\n\n\n
What we can see at first is that a command is built on line 13 thanks to the PHP function “sprintf” with the path of the previously uploaded file as parameter. This command is then executed on line 14 and its result is sent back to the user to be displayed on the page.<\/p>\n\n\n\n
\"File_1\"<\/figure>\n\n\n\n
The file path is built on line 7 from the following elements:<\/p>\n\n\n\n