Mantis_OffSec_CVE-2019-15715

CVE-2019-15715

---

Upon gaining access to the admin page of the target Mantis Bug Tracker instance, an authenticated RCE exploit has been brought up; CVE-2019-15715

A vulnerability was found in MantisBT up to 1.3.19/2.22.0 (Bug Tracking Software). It has been declared as critical. This vulnerability affects an unknown functionality. The manipulation with an unknown input leads to a os command injection vulnerability. The CWE definition for the vulnerability is CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability.

There are two different points where this is possible

One is the dot_tool config option which gets ingested here;
https://github.com/mantisbt/mantisbt/blob/086f31048ccc882ebbd56c329dc66a7fd329a0a3/workflow_graph_img.php#L53 The other is the neato_tool configuration option which is ingested here;
https://github.com/mantisbt/mantisbt/blob/086f31048ccc882ebbd56c329dc66a7fd329a0a3/core/relationship_graph_api.php#L160 Eventually these configuration options get used inside of the “output” function of the graph class here;
https://github.com/mantisbt/mantisbt/blob/380fc71029341faae4cbe8dee181be28ba124031/core/graphviz_api.php#L355

They are appended to $t_command which is later passed into $t_process = proc_open( $t_command, $t_descriptors, $t_pipes );

Because it’s possible for an attacker to control both the config options dot_tool and neato_tool they can easily inject a crafted command such as "echo '<?php phpinfo(); ?>';" where “;” is being used to offset the addition of"-T" and $p_format variable, being performed by the code and avoiding it within the intended command to be executed.

Exploit

---

N/A