CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6# CVE-2018-11686
CVE-2018-11686 - FlexPaper PHP Publish Service RCE <= 2.3.6
found by [Red Timmy Security](redtimmysec.wordpress.com)
**Technical Analysis:**
- https://www.exploit-db.com/docs/english/46521-flexpaper-=-2.3.6-remote-code-execution-whitepaper.pdf
**Security advisory:**
- unknow
---
### Proof Of Concept:
1. **Removing the config files**
The file `change_config.php` of FlexPaper (PHP) doesn't check if the adminsitrator is authentication properly, allowing an attacker to delete arbitrary files on the server:
- The yellow line shows where the check of authentication should be placed
- The red lines show the path taken by an attacker to delete files on the server using the `unlink` PHP function
An attacker can craft a request like this and delete files on the folder of his choice:
```
POST /flexpaper/php/change_config.php HTTP/1.1
Host: 127.0.0.1:8888
[...]
SAVE_CONFIG=1&SWF_Directory=config/
```
With this request, an attacker deletes all files on the `config` directory.
2. **Setup a new config file**
Since all files on the `config/` folder are deleted, FlexPaper will think that the application has never been initialized:
Therefore an attacker is able to setup again the FlexPaper. But why ?
3. **Execute arbitrary command**
Inside the `setup.php` there is a function called `pdf2swfEnabled` that uses the command `exec` in PHP with a parameter passed in POST by the user. Since this is the initialisation (check 2.) of FlexPaper there is no authentication.
An attacker can craft a payload like this: `?step=4&PDF2SWF_PATH=id;` resulting `exec(id; --version 2>&1)`.
4. **Getting the output**
The attacker can redirect the output of the command inside the a file inside the `config` folder and make a GET request to read the output:
---
### Fix
The check of the authentication has been added at the beginning of the `change_config.php`
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view