Crypttech CryptoLog Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the PHP version of CryptoLog, a log management application. This vulnerability arises from a combination of SQL injection and command injection flaws, allowing an unauthenticated attacker to gain shell access as the web server user. The exploitation begins by leveraging a SQL injection vulnerability in 'login.php' to bypass authentication, followed by a command injection vulnerability in 'logshares_ajax.php' to execute arbitrary operating system commands. The SQL injection is achieved by injecting crafted SQL into the 'user' POST parameter, which is then used to authenticate the user. Once authenticated, the attacker can exploit the 'lsid' POST parameter in the 'logshares_ajax.php' endpoint to inject and execute commands using the command substitution syntax, resulting in code execution under the context of the web user.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the executed commands running under the web server's user privileges.

Reproduction

The vulnerability can be reproduced by sending a POST request to 'login.php' with a crafted 'user' parameter that exploits the SQL injection flaw. This request should include the 'act' parameter set to 'login'. If the injection is successful, the response will include a 'Set-Cookie' header, indicating that authentication has been bypassed. Once authenticated, a second POST request can be sent to 'logshares_ajax.php', using the 'lsid' parameter to inject a command that will be executed on the server.