LFI to Command Execution: Deutche Telekom Bug Bounty

Few months ago I did a little subdomain bruteforce on telekom.de , to see if there are new subdomains which, if I’m luck enough, could have some high severity vulnerabilities, since Deutche telekom only accepts SQL injection and Remote Code Execution.

After running aquatone, dnsenum, recon-ng and sublist3r, I collected all of the subdomains and removed duplicates, created a simple bash script to iterate over them and run dirb on every subdomain, and went on with my usual stalking of /r/netsec to read new interesting things.

Few hours later, I checked to see how dirb was doing and something caught my eye. I saw one subdomain had info.php page available. I just love php, developers usually mess up something, and leave some doors for hackers to come in. Opening info.php gave me some info that will be useful when Code Execution part comes.

After opening page I was greeted with login page. It was time to fire up BurpSuite and do some spidering. Few seconds later nice URL showed in burp :

https://netweb.telekom.de/netweb/gui/help.php?HELPFILE=logon.hlp

Oh, I just had to replace that logon.hlp with ../../../../../../../../etc/passwd :

https://netweb.telekom.de/netweb/gui/help.php?SID&HELPFILE=../../../../../../../../etc/passwd

And Bingo:

/etc/passwd output.

Some more files:

/etc/release output.
Part of report with LFI examples.

So LFI is fun, but it is not in scope, time to execute some command. I choose error.log poisoning option. So remember that info.php ( phpinfo()) file in the site root. It showed the location of error.log file, and made my job a lot easier, all the locations from SecList LFI list, gave 0 hits on the error.log file location. And in info.php it was:

https://netweb.telekom.de/netweb/gui/help.php?HELPFILE=../../../../../../../../../../../../../pkg/moip/netinfo/logs/apache-netweb-P/error.log
error.log output

So while running dirb on host I found file soap.php, that showed some errors that ended inside error.log , and one of the data inside log was referer value.

soap.php error inside error.log

Running simple test to see if referer value is executed:

Running curl with referer value 0f 58–8 to see if value 50 is inside output.

And again Bingo:

58–8 evaluated and 50 is output inside error.log.

And for POC let’s run phpinfo() :

setting referer to phpinfo() .

And output:

phpinfo() executed inside error.log file

And the full report:

Full report sent to Deutche Telekom Bug Bounty

Reported: April 10 2017
Fixed: Sometime in August

Daniel Maksimovic ( maxonebt4@gmail.com )
https://www.linkedin.com/in/daniel-maksimovic-73537882/