A couple of days ago (depending on when this is actually published), I’d discovered a post authentication (administrator required) vulnerability in Mantis BT which allowed for command execution through command injection.
The interesting part of this is the way it works, I’m not sure most vulnerability scanners would’ve picked up on this… the way it works doesn’t quite seem like it’s user input and the way I’d actually discovered it was via a hybrid blackbox/whitebox approach.
Basically, Keeping things short Mantis BT’s administration interface allows for reconfiguration of any option which you normally configure through the config.inc.php file.
Using this it’s possible to change the path for specific tools typically used to generate graph files and then visit one of the URLs which is normally supposed to call upon that tool with proc_open, between the point where the configuration variable is checked and where proc_open happens there’s no sanitization in place.
A lot of this is mitigated by the fact that configuring those options does require Administrator access, however when first installing Mantis BT it does so with default credentials of “Administrator:root” and does not enforce that the administrator change it upon initial login, instead it simply warns the user to change this… the fact it’s warning the user to change this actually works in an attackers favor as well because it tells them that the default password is being used.
This also means it’s easy to find these default installations with some slight dorks on google or other search engines.
On another note it seems those same configuration options allow for an administrator to change the file storage from database to disk, while not exploitable due to the fact it creates random md5 hashes for file names I still found this interesting none the less because you would assume these kinds of things would only be possible to change from the configuration file.
This was fixed in the following commit; https://github.com/mantisbt/mantisbt/commit/fc7668c8e45db55fc3a4b991ea99d2b80861a14c
Additional details available;
I’ll updated the blog in the next few days with a detailed technical analysis on how the bug was discovered/how to actually exploit it and possibly a PoC.