Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com).
{"id": "CVE-2021-29641", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-29641", "description": "Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. Exploitation succeeds only for certain installations with the Apache HTTP Server and the local-storage driver (e.g., when the product was obtained from hub.docker.com).", "published": "2021-04-07T22:15:00", "modified": "2021-04-13T12:03:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29641", "reporter": "cve@mitre.org", "references": ["https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "http://seclists.org/fulldisclosure/2021/Apr/14", "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore", "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html"], "cvelist": ["CVE-2021-29641"], "immutableFields": [], "lastseen": "2022-03-23T17:03:43", "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:162118"]}, {"type": "zdt", "idList": ["1337DAY-ID-36084"]}], "rev": 4}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:162118"]}, {"type": "zdt", "idList": ["1337DAY-ID-36084"]}]}, "exploitation": null, "vulnersScore": 4.7}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-434"], "affectedSoftware": [{"cpeName": "rangerstudio:directus", "version": "8.8.2", "operator": "lt", "name": "rangerstudio directus"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:rangerstudio:directus:8.8.2:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.8.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "name": "https://sec-consult.com/de/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2021/Apr/14", "name": "20210407 SEC Consult SA-20210407-0 :: Arbitrary File Upload and Bypassing .htaccess Rules in Monospace Directus Headless CMS", "refsource": "FULLDISC", "tags": ["Exploit", "Mailing List", "Third Party Advisory"]}, {"url": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "name": "https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-and-bypassing-htaccess-rules-in-monospace-directus-headless-cms/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore", "name": "https://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore", "refsource": "MISC", "tags": ["Third Party Advisory"]}, {"url": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html", "name": "http://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"packetstorm": [{"lastseen": "2021-04-07T21:09:32", "description": "", "cvss3": {}, "published": "2021-04-07T00:00:00", "type": "packetstorm", "title": "Monospace Directus Headless CMS File Upload / Rule Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-29641"], "modified": "2021-04-07T00:00:00", "id": "PACKETSTORM:162118", "href": "https://packetstormsecurity.com/files/162118/Monospace-Directus-Headless-CMS-File-Upload-Rule-Bypass.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20210407-0 > \n======================================================================= \ntitle: Arbitrary File Upload and Bypassing .htaccess Rules \nproduct: Monospace Directus Headless CMS \nvulnerable version: < v8.8.2 \nfixed version: v8.8.2, v9 is not affected because of different architecture \nCVE number: CVE-2021-29641 \nimpact: High \nhomepage: https://directus.io/ \nfound: 2020-12-15 \nby: Oliver Boehlk (Atos Germany) \nMoritz Friedmann (Atos Germany) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult, an Atos company \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"Directus Open-Source, Free & Unlimited. No Strings Attached. \nOur premium software is available at no cost for commercial and personal use. \nThis self-hosted version is full-featured, with no artificial limitations.\" \n \nSource: https://directus.io/open-source/ \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides an updated version for v8 which fixes the security issue. It should \nbe installed immediately. \n \nNote: Directus v8 has been deprecated/discontinued and is replaced by version 9, \nwhich currently does not have a final release version yet. Updating to Directus v9 \nfixes this vulnerability as well because the NodeJS architecture replaces \nthe PHP API \nand hence is not affected. \n \n \nAccording to the vendor, the identified security issue only applies to v8 \ninstallations \nrelying on the specific Apache-based config in the Docker image, using the local-storage \ndriver for uploads. The recommendation from the vendor is to use a connection to S3 for \nsuch installations, install the patch v8.8.2 or upgrade to version 9. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Arbitrary File Upload and Bypassing .htaccess Rules (CVE-2021-29641) \nAny low privileged user with file upload permissions can upload webshells \nor \nother malicious PHP files which can be found in /uploads/_/originals/. \n \nIf the server prevents the execution of PHP files in the upload directory \nthe \nattacker can move the file into a subdirectory where he can upload a custom .htaccess \nfile to enable PHP execution again. \n \nServer side command execution can be used to retrieve the Directus configuration \nand database credentials to escalate in-app privileges, retrieve password \nhashes \nor move laterally in the network. \n \n \nProof of concept: \n----------------- \n1) Arbitrary File Upload and Bypassing .htaccess Rules (CVE-2021-29641) \nA PoC environment can be created using a docker-compose.yml file: \n \nversion: \"3\" \n \nservices: \napp: \nimage: directus/directus:v8.8.1-apache \nports: \n- 8080:80 \nenvironment: \nDIRECTUS_INSTALL_TITLE: vulnerable directus server \nDIRECTUS_INSTALL_EMAIL: admin@ha.ck \nDIRECTUS_INSTALL_PASSWORD: admin1 \nDIRECTUS_AUTH_SECRETKEY: directusprivtest \nDIRECTUS_AUTH_PUBLICKEY: directuspubtest \nDIRECTUS_DATABASE_HOST: db \nDIRECTUS_DATABASE_NAME: directus \nDIRECTUS_DATABASE_USERNAME: directus \nDIRECTUS_DATABASE_PASSWORD: directus \n \ndb: \nimage: mariadb \nenvironment: \nMYSQL_ROOT_PASSWORD: directusroot \nMYSQL_DATABASE: directus \nMYSQL_USER: directus \nMYSQL_PASSWORD: directus \n \n \nOptionally, Directus data folders can be mounted for persistent storage: \nvolumes: \n- ./data/config:/var/directus/config \n- ./data/uploads:/var/directus/public/uploads \n \nAn .htaccess file can be placed in the uploads directory to prevent PHP execution: \n<IfModule mod_php7.c> \nphp_flag engine off \n</IfModule> \n \n \nInitial installation requires \"install\" to be called: \ndocker-compose up -d && docker-compose run app install \n \nLogin defined in docker-compose: \nadmin@ha.ck:admin1 \n \nAn attacker can upload a PHP file and open it at uploads/_/originals/[randomid].php. \nIf a .htaccess file is used, the code does not get executed and gets returned in plain text. \n \nYou can edit the item in Directus and change the Filename Disk to \"test/file.php\" (it doesn't \nmatter that there is no folder named test yet, Directus/Apache does you a \nfavor and creates it \nfor you). \n \nNow you can access the file at /uploads/_/originals/test/file.php. \nEven if you delete the file in Directus it remains on the server, and can \nbe accessed via the \nabove mentioned URL. \n \nTo get code execution the next step is to simply upload an own .htaccess file containing \n<IfModule mod_php7.c> \nphp_flag engine on \n</IfModule> \n \nAnd again change the Filename Disk to test/.htaccess. \n \nNow calling /uploads/_/originals/test/file.php executes the PHP file. \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following versions have been tested and found to be vulnerable. According to the vendor, \nonly the Apache-based docker image with the local-storage driver is affected and not the \nDirectus suite as a whole. \n \n* v8.4.0 \n* v8.8.1 (latest version at the time of the test) \n \nIt is assumed that all previous v8 versions are affected as well. \n \nVersion 9 uses a different architecture and is not affected by this vulnerability. \n \n \nVendor contact timeline: \n------------------------ \n2020-12-16 | Contacting vendor through security@directus.io; no reply \n2021-03-04 | Contacting vendor again through security@directus.io \n2021-03-05 | Vendor reply, exchanged S/MIME certificates \n2021-03-08 | Sending security advisory to vendor \n2021-03-12 | Asking the vendor whether they received the advisory; no reply \n2021-03-25 | Asking vendor again for status update \n2021-03-25 | Vendor: v8 will be fixed in new version \n2021-03-26 | Vendor: the issue has been fixed in v8.8.2 available at dockerhub \n2021-04-07 | Coordinated release of security advisory \n \n \nSolution: \n--------- \nThe vendor provides an updated version v8.8.2 at dockerhub which fixes the security \nissue: \nhttps://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore \n \nAlternatively, version 9 can be installed as well, which uses a different \narchitecture \nand is not affected. \n \n \nWorkaround: \n----------- \nNone \n \n \nAdvisory URL: \n------------- \nhttps://sec-consult.com/vulnerability-lab/ \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult, an Atos company \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an \nAtos company. It ensures the continued knowledge gain of SEC Consult in the \nfield of network and application security to stay ahead of the attacker. The \nSEC Consult Vulnerability Lab supports high-quality penetration testing and \nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities \nand valid recommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://sec-consult.com/career/ \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://sec-consult.com/contact/ \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF O. Boehlk, M. Friedmann / @2021 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162118/SA-20210407-0.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2021-10-16T22:49:59", "description": "", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-07T00:00:00", "type": "zdt", "title": "Monospace Directus Headless CMS File Upload / Rule Bypass Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29641"], "modified": "2021-04-07T00:00:00", "id": "1337DAY-ID-36084", "href": "https://0day.today/exploit/description/36084", "sourceData": "=======================================================================\r\n title: Arbitrary File Upload and Bypassing .htaccess Rules\r\n product: Monospace Directus Headless CMS\r\n vulnerable version: < v8.8.2\r\n fixed version: v8.8.2, v9 is not affected because of different architecture\r\n CVE number: CVE-2021-29641\r\n impact: High\r\n homepage: https://directus.io/\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n\"Directus Open-Source, Free & Unlimited. No Strings Attached.\r\nOur premium software is available at no cost for commercial and personal use.\r\nThis self-hosted version is full-featured, with no artificial limitations.\"\r\n\r\nSource: https://directus.io/open-source/\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nThe vendor provides an updated version for v8 which fixes the security issue. It should\r\nbe installed immediately.\r\n\r\nNote: Directus v8 has been deprecated/discontinued and is replaced by version 9,\r\nwhich currently does not have a final release version yet. Updating to Directus v9\r\nfixes this vulnerability as well because the NodeJS architecture replaces \r\nthe PHP API\r\nand hence is not affected.\r\n\r\n\r\nAccording to the vendor, the identified security issue only applies to v8 \r\ninstallations\r\nrelying on the specific Apache-based config in the Docker image, using the local-storage\r\ndriver for uploads. The recommendation from the vendor is to use a connection to S3 for\r\nsuch installations, install the patch v8.8.2 or upgrade to version 9.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Arbitrary File Upload and Bypassing .htaccess Rules (CVE-2021-29641)\r\nAny low privileged user with file upload permissions can upload webshells \r\nor\r\nother malicious PHP files which can be found in /uploads/_/originals/.\r\n\r\nIf the server prevents the execution of PHP files in the upload directory \r\nthe\r\nattacker can move the file into a subdirectory where he can upload a custom .htaccess\r\nfile to enable PHP execution again.\r\n\r\nServer side command execution can be used to retrieve the Directus configuration\r\nand database credentials to escalate in-app privileges, retrieve password \r\nhashes\r\nor move laterally in the network.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Arbitrary File Upload and Bypassing .htaccess Rules (CVE-2021-29641)\r\nA PoC environment can be created using a docker-compose.yml file:\r\n\r\nversion: \"3\"\r\n\r\nservices:\r\n app:\r\n image: directus/directus:v8.8.1-apache\r\n ports:\r\n - 8080:80\r\n environment:\r\n DIRECTUS_INSTALL_TITLE: vulnerable directus server\r\n DIRECTUS_INSTALL_EMAIL: [email\u00a0protected]\r\n DIRECTUS_INSTALL_PASSWORD: admin1\r\n DIRECTUS_AUTH_SECRETKEY: directusprivtest\r\n DIRECTUS_AUTH_PUBLICKEY: directuspubtest\r\n DIRECTUS_DATABASE_HOST: db\r\n DIRECTUS_DATABASE_NAME: directus\r\n DIRECTUS_DATABASE_USERNAME: directus\r\n DIRECTUS_DATABASE_PASSWORD: directus\r\n\r\n db:\r\n image: mariadb\r\n environment:\r\n MYSQL_ROOT_PASSWORD: directusroot\r\n MYSQL_DATABASE: directus\r\n MYSQL_USER: directus\r\n MYSQL_PASSWORD: directus\r\n\r\n\r\nOptionally, Directus data folders can be mounted for persistent storage:\r\nvolumes:\r\n- ./data/config:/var/directus/config\r\n- ./data/uploads:/var/directus/public/uploads\r\n\r\nAn .htaccess file can be placed in the uploads directory to prevent PHP execution:\r\n<IfModule mod_php7.c>\r\n php_flag engine off\r\n</IfModule>\r\n\r\n\r\nInitial installation requires \"install\" to be called:\r\ndocker-compose up -d && docker-compose run app install\r\n\r\nLogin defined in docker-compose:\r\n[email\u00a0protected]:admin1\r\n\r\nAn attacker can upload a PHP file and open it at uploads/_/originals/[randomid].php.\r\nIf a .htaccess file is used, the code does not get executed and gets returned in plain text.\r\n\r\nYou can edit the item in Directus and change the Filename Disk to \"test/file.php\" (it doesn't\r\nmatter that there is no folder named test yet, Directus/Apache does you a \r\nfavor and creates it\r\nfor you).\r\n\r\nNow you can access the file at /uploads/_/originals/test/file.php.\r\nEven if you delete the file in Directus it remains on the server, and can \r\nbe accessed via the\r\nabove mentioned URL.\r\n\r\nTo get code execution the next step is to simply upload an own .htaccess file containing\r\n<IfModule mod_php7.c>\r\n php_flag engine on\r\n</IfModule>\r\n\r\nAnd again change the Filename Disk to test/.htaccess.\r\n\r\nNow calling /uploads/_/originals/test/file.php executes the PHP file.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe following versions have been tested and found to be vulnerable. According to the vendor,\r\nonly the Apache-based docker image with the local-storage driver is affected and not the\r\nDirectus suite as a whole.\r\n\r\n* v8.4.0\r\n* v8.8.1 (latest version at the time of the test)\r\n\r\nIt is assumed that all previous v8 versions are affected as well.\r\n\r\nVersion 9 uses a different architecture and is not affected by this vulnerability.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2020-12-16 | Contacting vendor through [email\u00a0protected]; no reply\r\n2021-03-04 | Contacting vendor again through [email\u00a0protected]\r\n2021-03-05 | Vendor reply, exchanged S/MIME certificates\r\n2021-03-08 | Sending security advisory to vendor\r\n2021-03-12 | Asking the vendor whether they received the advisory; no reply\r\n2021-03-25 | Asking vendor again for status update\r\n2021-03-25 | Vendor: v8 will be fixed in new version\r\n2021-03-26 | Vendor: the issue has been fixed in v8.8.2 available at dockerhub\r\n2021-04-07 | Coordinated release of security advisory\r\n\r\n\r\nSolution:\r\n---------\r\nThe vendor provides an updated version v8.8.2 at dockerhub which fixes the security\r\nissue:\r\nhttps://hub.docker.com/layers/directus/directus/v8.8.2-apache/images/sha256-d9898b6442b0150c3c377b50e706757f35d2d563bd82ddaf97f3ae4ba450a6e6?context=explore\r\n\r\nAlternatively, version 9 can be installed as well, which uses a different \r\narchitecture\r\nand is not affected.\n\n# 0day.today [2021-10-17] #", "sourceHref": "https://0day.today/exploit/36084", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
CVE-2021-29641
