FlexPaper <= 2.3.6 RCE

Around one year ago we discovered a Remote Command Execution vulnerability on FlexPaper (https://www.flowpaper.com). The vendor was immediately contacted and a CVE registered (2018-11686). However the vulnerability itself has remained undisclosed until now, regardless the fact that a patch has been issued with the release 2.3.7 of the project.

What is Flexpaper

FlexPaper is an open source project, released under GPL license, quite widespread over the internet.  It provides document viewing functionalities to web clients, mobile and tablet devices. At least until 2014 the component has been actively used by WikiLeaks, when it was discovered to be affected by a XSS vulnerability subsequently patched. The remote command execution vulnerability hereby descripted has remained 0day until being reported to vendor in April 2018.

Setup.php

The “php/setup.php” script is used to initialize the Flexpaper configuration file in the “config/” folder. The function “pdf2swfEnabled()” passes the user input unsafely to “exec()” that leads straight to arbitrary command execution.

However, this entry point can be only reached in case Flexpaper has not been initialized (i.e. there is no configuration file in the “config/” folder) which is the main reason to have the software downloaded and installed.

Therefore, after the configuration process is completed, the “exec()” function cannot be hit with arbitrary user input.

File removal via change_config.php

FlexPaper <= 2.3.6 also suffers from an unrestricted file overwrite vulnerability in “php/change_config.php“. The component exposes a functionality to update the configuration file. However, access to this file is improperly guarded, as can be seen in the code snippet below

The “SAVE_CONFIG” is done before the “FLEXPAPER_AUTH” authorization check is performed. Therefore, a not authenticated user can send a POST request and have the configuration file updated. Even more interesting is the fact that after the configuration file is updated, the script will remove all files in the directory that is configured under “path.swf”. As this path was just updated by the attacker, he is in full control of the directory in which he wants to delete files. 

An example of a HTTP request, which results in deletion of the configuration file, is depicted below.

Back to Setup.php

Once the Flexpaper configuration file is deleted, the vulnerable entry point at “setup.php” becomes reachable again. Now the attacker is one GET request far from triggering RCE. The malicious payload is provided to the “PDF2SWF_PATH” parameter. The command is injected just prepending a semicolon “;” character as shown below

In the example above the server was forced to base64 decode a PHP web shell (see following image) and write that in to a file named “tiger_shell.php” in the webserver’s document root.

The web shell

The web shell adopted in this case takes as an input a key and an arbitrary base64 encoded command submitted via GET request. It base64 decode and execute the command only if the key matches with the hardcoded one. From now on, the attacker can launch any arbitrary command like this:

The command injected through “cmd” parameter, for this specific example, is the base64 encoded representation of “id;uname -a;pwd”. Needless to say it can be whatever command the attacker wants to run.

Red Timmy Sec will be at Blackhat Las Vegas this year! Check out our trainings

Some additional notes

During last year we have reported this vulnerability to several broadcasting and media companies that were using the affected component. Some government websites as well.

Exploit code

The exploit has been published here.

One thought on “FlexPaper <= 2.3.6 RCE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s