Tiny File Manager Authenticated RCE

 

Introduction

 This is Febin , a security professional.

I used to pick random opensource software for my research, recently I took some web based file management software as my research targets. There I found some popular web-based file managers, one of which was a software named "Tiny File Manager" . While poking around I was able to find an awesome vulnerability in the application that leads to code execution on the server. This article is going to be on that vulnerability.

Disclosure Timeline:

 

September 16, 2021 - Contacted the developer and reported the vulnerability

September 17, 2021 - Developer replies back

September 20, 2021 - Developer verified the issue

September 26, 2021 - I patched the source code, fixed the RCE and sent a pull request the the original repository.

November 12, 2021 - Developer merged the commit. The vulnerability has been fixed.

Vendor/Software Details

 

TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, uploading, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, It allows the creation of multiple users and each user can have its own directory and a build-in support for managing text files with cloud9 IDE and it supports syntax highlighting for over 150+ languages and over 35+ themes.

Link: https://github.com/prasathmani/tinyfilemanager

Authenticated RCE

 

Tiny File Manager is a php based software. This particular vulnerability is present in the tinyfilemanager.php script. When the user logs in to the application, he is allowed to upload, download, edit files and those file are stored in a specific directory which is been specified in "config.php". The particular vulnerability that I have found allows the user to upload files beyond the specified directory by tampering the "fullpath" parameter and add a bunch of "../" in front of the actual filename thus leads to breaking out of the file root directory that is specified in config.php.

This can be exploited to place php web-shells inside the web root directory of Tiny File Manager and achieve RCE.

 

Proof Of Concept:

 RCE

1. An Attacker who has admin credentials or admin access to "Tiny FIle manager" app can upload arbitrary files to the server via Path Traversal i.e, appending "../../../../../../../" to the "fullpath parameter in the upload feature.

2. If the attacker could get the full Web Root directory of the "Tiny File Manager" app, he could upload php files there to achieve RCE.

3. To get the full Web root directory path, we can abuse a path disclosure vulnerability in the URL upload feature. When a random rubbish URL is given as input, it throws an error message that reveals the full Web root directory path.

4. By combining these, we can achieve Command execution on the server.

I created an exploit script that automatically exploits the bug and get a shell:

 

Exploit in Action:

The Patch:

 

https://github.com/prasathmani/tinyfilemanager/pull/636/files/a93fc321a3c89fdb9bee860bf6df5d89083298d1

 

👉  Replace "./" with "_" fixes the issue.

Thank you.