Command injection in /fog/management/export.php?filename=

Tom Elliott

https://github.com/FOGProject/fogproject/security/advisories/GHSA-7h44-6vq6-cq8j

This should contain any relevant information pertaining directly but the TL;DR;

There’s known issues with <1.5.10.34 versions of the export script that allow RCE. This has been patched in 1.5.10.34 and up, and the export.php no longer is present on 1.6

To patch existing versions, use the script in the link or copy this to your fog server and run it:

#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Quick patch for GHSA-7h44-6vq6-cq8j
# source https://github.com/FOGProject/fogproject (dev-branc)
# based on fix applied to 1.5.10.34

export_hash='ecc84d2ce81f9c3d188758a8ca17519e'
report_hash='eabb801aab46dd25e6e2cb99df50f746'
BASE_INSTALL='/var/www/html/fog'

echo "Initiating patch for advasory GHSA-7h44-6vq6-cq8j"

echo "Testing if system is vulnerable"
# Is the system vulnerable? 
curl -s -X POST \
    -F 'fogguiuser=fog' \
    -F 'nojson=2' \
    'http://127.0.0.1/fog/management/export.php?filename=%24%28touch+p.txt%29&type=pdf' &> /dev/null

if [[ ! -f "${BASE_INSTALL}/management/p.txt" ]]; then
	echo "system does not look vulnerable! aborting patch"
	exit 0
fi 
rm -f "${BASE_INSTALL}/management/p.txt"
echo "System is vulnerable! applying patch..."

# Can we reach github ?
ping -c1 raw.githubusercontent.com  &> /dev/null
if [[ "${?}" -ne "0" ]]; then
    echo "Could not reach github. Aborting"
    exit 5
fi

# Can we modify the files ?
if [[ "${UID}" -ne "0" ]]; then
    echo "sorry, We need root to make changes under ${BASE_INSTALL}"
    exit 1
fi

# Are BASE_INSTALL where we expect ? 
if [[ ! -f "${BASE_INSTALL}/management/export.php" ]]; then
    echo "Could not find ${BASE_INSTALL}/management/export.php" 
    echo "Please, check settings manually"
    exit 2
fi

# Backup old files. 
tar -cvpf /root/fogbkp.tar "${BASE_INSTALL}/management/export.php" \
	"${BASE_INSTALL}/lib/fog/reportmaker.class.php" &> /dev/null
if [[ ! -f /root/fogbkp.tar ]]; then
	echo "warning could not backup export.php and reportmaker.class.php"
	exit 3
fi
echo "Created backups fot export.php and reportmaker.class.php  at /root/fogbkp.tar" 

echo "Downloading patches and checking file hashes"
# Download patches and check hashsum
curl -s  'https://raw.githubusercontent.com/FOGProject/fogproject/dev-branch/packages/web/management/export.php' -o /root/export.php
curl -s 'https://raw.githubusercontent.com/FOGProject/fogproject/dev-branch/packages/web/lib/fog/reportmaker.class.php' -o /root/reportmaker.class.php
if [[ "$(md5sum /root/export.php|awk '{print $1}')" != "${export_hash}" ]]; then
	echo "export.php was modified! This patch is no longer up to date. Please, update to latest stable release."
	exit 4
fi
if [[ "$(md5sum /root/reportmaker.class.php|awk '{print $1}')" != "${report_hash}" ]]; then
	echo "reportmaker.class.php was modified! This patch is no longer up to date. Please, update to latest stable release."
	exit 4
fi

echo "Fixing file permissions"
# Adjusting File permissions
chown www-data:www-data "${BASE_INSTALL}/management/export.php"
chown www-data:www-data "${BASE_INSTALL}/lib/fog/reportmaker.class.php" 
chmod 0644 "${BASE_INSTALL}/management/export.php"
chmod 0644 "${BASE_INSTALL}/lib/fog/reportmaker.class.php"

# Copy patches to destination
cp -p /root/export.php "${BASE_INSTALL}/management/export.php" && \
	rm -f /root/export.php 
cp -p /root/reportmaker.class.php "${BASE_INSTALL}/lib/fog/reportmaker.class.php" && \
	rm -f /root/reportmaker.class.php

# Cleaning up stuff we no longer need
rm -f /root/export.php
rm -f /root/reportmaker.class.php

echo "We have finished patching fog!"

Tom Elliott

This was reported and tested and reported, as well tested the fix by the github username bluetoothStrawberry.

Thank you!