For this week's TTP Tuesday, we're releasing an unauthenticated remote code execution exploit for GLPI. This TTP demonstrates how to run arbitrary code on a vulnerable GLPI server by sending a specially crafted HTTP packet to the GLPI htmlawed module.
The vulnerability affects GLPI versions from 9.5.8 >= 10.0.2.
Execute Operator's CVE-2022-35914 TTP on each GLPI server in your environment to test if you are vulnerable.
The TTP sends a GET request to /vendor/htmlawed/htmlawed/htmLawedTest.php
on localhost
. The TTP will attempt to remotely execute code on the GLPI server and then parse the resulting response to confirm whether exploitation was successful. Depending on your GLPI configuration, you may need to adjust the TTP's predefined URL.
In September 2022, GLPI released a patch for GLPI 10.0.x (10.0.3) and 9.5.x (https://github.com/glpi-project/glpi/releases/tag/9.5.9). Apply patches or upgrade to the latest release version.
The vulnerability applies to several hook functions in GLPI. Disabling individual hooked function may not prevent exploitation as these hook functions are available via callback functions like arraymap
and calluserfunc
. Do not rely on disablefunction
on exec
to patch the vulnerability.
Check out the TTP Is CVE-2022-35914 patched on this host? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec