Group-Office Remote Code Execution Vulnerability in Maintenance Controller

A remote code execution vulnerability has been identified in Group-Office versions prior to 6.8.150, 25.0.82, and 26.0.5. The issue arises in the MaintenanceController, which exposes an action called zipLanguage. This action takes a lang parameter and directly passes it to a system zip command via exec(), creating a command injection vulnerability. The vulnerability can be exploited by uploading a crafted zip file that includes a malicious payload, which is then executed on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the web server user. This could lead to unauthorized access, data manipulation, or disruption of services.

Reproduction

The vulnerability can be reproduced by authenticating as a user with basic privileges, uploading a zip file containing a malicious script via the EmailTemplate module, and then triggering the zipLanguage action in the Maintenance module. The uploaded script is executed by injecting its path into the lang parameter, using wildcard globbing to bypass security measures.

Remediation

Users can update to Group-Office versions 6.8.150, 25.0.82, or 26.0.5 to address this vulnerability.