Full Report
Intro
Analysis Summary
# Vulnerability: Unauthenticated RCE via SCSS Injection in GLPI Dashboards
## CVE Details
- CVE ID: CVE-2024-50339
- CVSS Score: 9.8 (Critical) - *Inferred based on resulting session hijacking capability.*
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) or CWE-94 (Improper Control of Generation of Code ('Code Injection')) due to file system access exploitation.
## Affected Systems
- Products: GLPI (Gestionnaire libre de parc informatique)
- Versions: All versions between **9.5.0** and **10.0.16** (inclusive), by default.
- Configurations: Instances where the default session directory (`/files/_sessions/`) is accessible or queryable via the underlying SCSS compiler mechanism.
## Vulnerability Description
This vulnerability is a multi-step attack chain leading to high-privilege user session hijacking.
1. **Information Disclosure (Unauthenticated):** An unauthenticated attacker can abuse the `update.php` script parameter to leak sensitive telemetry information, including the instance's unique installation token.
2. **Dashboard Access:** The leaked token allows the attacker to dynamically construct a URL to view any GLPI dashboard, even without authentication.
3. **Remote Code Execution Vector (SCSS Injection):** Certain dashboard widgets dynamically render styled output using SCSS, compiled via the `scssphp` library. An attacker can inject malicious SCSS code into parameters supplied to specific widgets.
4. **Session Hijacking:** The malicious SCSS triggers the `scssphp` function `libScssphpGlob()`. This function is vulnerable as it allows file path/pattern matching (globbing) within the PHP environment. By targeting the default PHP session storage directory (e.g., `/files/_sessions/`), the attacker can list active session files, retrieve session identifiers, and hijack sessions belonging to authenticated, high-privilege users.
## Exploitation
- Status: PoC available (Tool `glpwnme` mentioned)
- Complexity: Low/Medium (Requires multi-stage steps: information leak, dashboard crafting, injection payload)
- Attack Vector: Network (Requires HTTP access to the vulnerable GLPI instance)
## Impact
- Confidentiality: High (Session hijacking exposes all accessible data for the targeted user, potentially including administrative secrets)
- Integrity: High (Can lead to unauthorized configuration changes or data modification)
- Availability: Low (The primary impact is compromise, not denial of service)
## Remediation
### Patches
- Upgrade GLPI to version **10.0.17** or later.
### Workarounds
- Update the vendor folder containing the `scssphp` library if patching GLPI core is not immediately possible (The vulnerability relies on a function removed/fixed in the updated library).
- Changing the default session directory location is recommended by the vendor, though this may not fully prevent exploitation if the file listing capability itself remains accessible.
## Detection
- **Indicators of Compromise:** Unusually high read/access activity against the GLPI session storage directory (`/files/_sessions/`). Monitoring for unknown or unexpected external requests attempting to query widget/dashboard URLs.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) or IDS/IPS rules looking for unusual characters or globbing patterns (`*`, `?`) within parameters associated with dashboard widget requests or initialization steps.
## References
- Vendor Advisories: GLPI Security Notice (Referenced by GHSA publication)
- Relevant links:
- hxxps://github.com/Orange-Cyberdefense/glpwnme
- GHSA advisory referencing the fix in 10.0.17