Is CVE-2022-35914 patched on this host?

Certain versions of GLPI include a vulnerable version of HTMLAWED. By submitting a carefully crafted http request to a vulnerable GLPI server unauthenticated remote code execution is achieved. This TTP attempts to run code on the GLPI server. The affected versions before <= 9.5.8 and <= 10.0.2.
This week, we are releasing a CVE TTP:
  • Is CVE-2022-35914 patched on this host?

Is CVE-2022-35914 patched on this host?

GLPI is an open-source service management software. It includes a CMDB, helpdesk, financial & project management applications, and administrative features to help teams manage IT changes and business processes.

For this week's TTP Tuesday, we're releasing an unauthenticated remote code execution exploit for GLPI. This TTP demonstrates how to run arbitrary code on a vulnerable GLPI server by sending a specially crafted HTTP packet to the GLPI htmlawed module.

The vulnerability affects GLPI versions from 9.5.8 >= 10.0.2.

Testing

Execute Operator's CVE-2022-35914 TTP on each GLPI server in your environment to test if you are vulnerable.

The TTP sends a GET request to /vendor/htmlawed/htmlawed/htmLawedTest.php on localhost. The TTP will attempt to remotely execute code on the GLPI server and then parse the resulting response to confirm whether exploitation was successful. Depending on your GLPI configuration, you may need to adjust the TTP's predefined URL.

Remediation

In September 2022, GLPI released a patch for GLPI 10.0.x (10.0.3) and 9.5.x (https://github.com/glpi-project/glpi/releases/tag/9.5.9). Apply patches or upgrade to the latest release version.

The vulnerability applies to several hook functions in GLPI. Disabling individual hooked function may not prevent exploitation as these hook functions are available via callback functions like arraymap and calluserfunc. Do not rely on disablefunction on exec to patch the vulnerability.

Check out the TTP Is CVE-2022-35914 patched on this host? on the Prelude chains website.


Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is CVE-2022-35914 patched on this host?

Tactics