Locked Dendroid vulnerability

[steambag]

Analyzing the leaked code revealed multiple vulnerabilities due to a lack of user input validation including Cross-Site Scripting (XSS), Arbitrary File Upload, SQL Injection, and PHP Code Execution.

 

Unsanitized user input is written to the Panel/config.php file via POST requests to the Panel/applysettings.php file. This vulnerability allows PHP code to be injected and then executed with subsequent requests at the Panel/config.php URL. Rewriting this configuration file will not only allow execution of specially crafted PHP code, but will also render the control panel inept, effectively creating a Denial of Service condition.

 

Here is one proof of concept that passes the GET parameter “c” for system command execution:

This is the hidden content, please

• Sign In
• or
• Sign Up

Let’s break down each of these POST parameters to show what they do. Curl is instructed to send a POST request for the timezone parameter with the URL encoded string:

This is the hidden content, please

• Sign In
• or
• Sign Up

This POST value will subsequently be written to the Panel/config.php on line 13 with compiler happy code:

This is the hidden content, please

• Sign In
• or
• Sign Up

The other POST values postboxsize and botoffline are assigned expected integer values so PHP does not throw any errors. Our post exploit Panel/config.php file now contains the contents below. Notice that the database connection information (dbhost, dbname, etc.) was overwritten which stops the control panel from functioning:

This is the hidden content, please

• Sign In
• or
• Sign Up

And now the backdoor shell can be accessed by issuing system commands to the POST “c” parameter:

This is the hidden content, please

• Sign In
• or
• Sign Up

Example using "whoami" system command

[dR.fAn0]

Re: Dendroid vulnerability

 

Anyway to change the connecting port... ??

 

Port 80 is blocked by my ISP :ruletaoff: