SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
=======================================================================
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: <=14.2.0
fixed version: >=14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finished."
Source: https://www.zeta-producer.com/de/index.html
Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension
then the server will rename it to .phps to prevent PHP code execution.
However, the attacker can upload .php5 or .phtml to the server without any
restriction. These alternative file extensions can be executed as PHP code.
Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.
Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is
enabled the attacker can still bruteforce the random name to gain remote
code execution via the PHP script as well. Testing on a local server it
took about 20 seconds to brute force the random name. This attack will
be slower over the Internet but it is still feasible.
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.
The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php
2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
unauthenticated attacker can read local files by exploiting path traversal issues.
The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php
Proof of concept:
-----------------
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]
When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list
Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0
Source:
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/
Vendor contact timeline:
------------------------
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply
2018-01-09: Contacting vendor again
2018-01-10: Vendor replies, requests transmission of security advisory
2018-01-10: Sending unencrypted security advisory
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
the reported vulnerabilities.
2018-07-12: Public advisory release.
Solution:
---------
Upgrade to version 14.2.1 or newer. See the vendor's download page:
https://www.zeta-producer.com/de/download.html
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Workaround:
-----------
Remove "formmailer" and "filebrowser" widgets.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
{"id": "EDB-ID:45016", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure", "description": "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure. CVE-2018-13980,CVE-2018-13981. Webapps exploit for PHP platform. Tags: Trav...", "published": "2018-07-13T00:00:00", "modified": "2018-07-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/45016/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2018-13980", "CVE-2018-13981"], "lastseen": "2018-07-13T19:08:39", "viewCount": 3, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2018-07-13T19:08:39", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-13981", "CVE-2018-13980"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AFBBCEDCBE9D87DBF4EA99F15DD00DE5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148537"]}, {"type": "zdt", "idList": ["1337DAY-ID-30711"]}], "modified": "2018-07-13T19:08:39", "rev": 2}, "vulnersScore": 4.1}, "sourceHref": "https://www.exploit-db.com/download/45016/", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >\r\n=======================================================================\r\n title: Remote Code Execution & Local File Disclosure\r\n product: Zeta Producer Desktop CMS\r\n vulnerable version: <=14.2.0\r\n fixed version: >=14.2.1\r\n CVE number: CVE-2018-13981, CVE-2018-13980\r\n impact: critical\r\n homepage: https://www.zeta-producer.com\r\n found: 2017-11-25\r\n by: P. Morimoto (Office Bangkok)\r\n SEC Consult Vulnerability Lab \r\n\r\n An integrated part of SEC Consult\r\n Europe | Asia | North America\r\n\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n\"With Zeta Producer, the website builder and online shop system for Windows, \r\nyou can create and manage your website locally, on your computer. \r\nGet without expertise in 3 steps to your own homepage: select design, \r\npaste content, publish website. Finished.\"\r\n\r\nSource: https://www.zeta-producer.com/de/index.html\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nThe vendor provides a patched version which should be installed immediately.\r\n\r\nUsers of the product also need to verify that the affected widgets are updated in\r\nthe corresponding website project! It could be necessary to rebuild the whole project\r\nor copy the new widgets to the website projects. For further information consult the\r\nvendor.\r\n\r\nFurthermore, an in-depth security analysis is highly advised, as the software may be\r\naffected from further security issues.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Remote Code Execution (CVE-2018-13981)\r\nThe email contact functionality of the widget \"formmailer\" can upload files\r\nto the server but if the user uploads a PHP script with a .php extension \r\nthen the server will rename it to .phps to prevent PHP code execution.\r\n\r\nHowever, the attacker can upload .php5 or .phtml to the server without any \r\nrestriction. These alternative file extensions can be executed as PHP code. \r\n\r\nFurthermore, the server will create a folder to store the files, with a\r\nrandom name using PHP's \"uniqid\" function.\r\n\r\nUnfortunately, if the server permits directory listing, the attacker\r\ncan easily browse to the uploaded PHP script. If no directory listing is \r\nenabled the attacker can still bruteforce the random name to gain remote \r\ncode execution via the PHP script as well. Testing on a local server it \r\ntook about 20 seconds to brute force the random name. This attack will \r\nbe slower over the Internet but it is still feasible.\r\n\r\nAlso, if the user runs the Zeta Producer Desktop CMS GUI client locally,\r\nthey are also vulnerable because the web server will be running on TCP port 9153.\r\n\r\nThe root cause is in the widget \"formmailer\" which is enabled by default.\r\nThe following files are affected:\r\n- /assets/php/formmailer/SendEmail.php\r\n- /assets/php/formmailer/functions.php\r\n\r\n\r\n2) Local File Disclosure (CVE-2018-13980)\r\nIf the user enables the widget \"filebrowser\" on Zeta Producer Desktop CMS an \r\nunauthenticated attacker can read local files by exploiting path traversal issues. \r\n\r\nThe following files are affected:\r\n- /assets/php/filebrowser/filebrowser.main.php\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Remote Code Execution (CVE-2018-13981)\r\nThe following python script can be used to exploit the chain of vulnerabilities.\r\n[.. code has been removed to prevent misuses ..]\r\n\r\nWhen the script is executed, a PHP script (shell) will be uploaded automatically.\r\n# $ python exploit.py\r\n# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php\r\n#\r\n# 5a1a5bc991afe\r\n# 5a1a5bc99453a\r\n# 10812\r\n# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\n\r\n2) Local File Disclosure (CVE-2018-13980)\r\nThe parameter \"file\" in the \"filebrowser.main.php\" script can be exploited to read\r\narbitrary files from the OS with the privileges of the web server user.\r\nAny unauthenticated user can exploit this issue!\r\n\r\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download\r\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe following versions have been tested which were the latest version available \r\nat the time of the test:\r\n\r\nZeta Producer Desktop CMS 14.1.0\r\nZeta Producer Desktop CMS 14.2.0\r\n\r\nSource: \r\n- https://www.zeta-producer.com/de/download.html\r\n- https://github.com/ZetaSoftware/zeta-producer-content/\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2017-11-29: Contacting vendor through info@zeta-producer.com and various other\r\n email addresses from the website. No reply.\r\n2017-12-13: Contacting vendor again, extending email address list, no reply\r\n2018-01-09: Contacting vendor again\r\n2018-01-10: Vendor replies, requests transmission of security advisory\r\n2018-01-10: Sending unencrypted security advisory\r\n2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed\r\n the reported vulnerabilities.\r\n2018-07-12: Public advisory release.\r\n\r\n\r\nSolution:\r\n---------\r\nUpgrade to version 14.2.1 or newer. See the vendor's download page:\r\n\r\nhttps://www.zeta-producer.com/de/download.html\r\n\r\nUsers of the product also need to verify that the affected widgets are updated in\r\nthe corresponding website project! It could be necessary to rebuild the whole project\r\nor copy the new widgets to the website projects. For further information consult the\r\nvendor.\r\n\r\n\r\nWorkaround:\r\n-----------\r\nRemove \"formmailer\" and \"filebrowser\" widgets.\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html", "osvdbidlist": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:28", "description": "The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files, because the formmailer widget blocks .php files but not .php5 or .phtml files. This is related to /assets/php/formmailer/SendEmail.php and /assets/php/formmailer/functions.php.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-16T14:29:00", "title": "CVE-2018-13981", "type": "cve", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13981"], "modified": "2018-09-12T19:54:00", "cpe": [], "id": "CVE-2018-13981", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13981", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T06:52:28", "description": "The websites that were built from Zeta Producer Desktop CMS before 14.2.1 are vulnerable to unauthenticated file disclosure if the plugin \"filebrowser\" is installed, because of assets/php/filebrowser/filebrowser.main.php?file=../ directory traversal.", "edition": 6, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-07-16T14:29:00", "title": "CVE-2018-13980", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13980"], "modified": "2020-09-16T13:07:00", "cpe": [], "id": "CVE-2018-13980", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-13980", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2018-07-13T17:34:27", "description": "", "published": "2018-07-12T00:00:00", "type": "packetstorm", "title": "Zeta Producer Desktop CMS 14.2.0 Code Execution / File Disclosure", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13980", "CVE-2018-13981"], "modified": "2018-07-12T00:00:00", "id": "PACKETSTORM:148537", "href": "https://packetstormsecurity.com/files/148537/Zeta-Producer-Desktop-CMS-14.2.0-Code-Execution-File-Disclosure.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20180712-0 > \n======================================================================= \ntitle: Remote Code Execution & Local File Disclosure \nproduct: Zeta Producer Desktop CMS \nvulnerable version: <=14.2.0 \nfixed version: >=14.2.1 \nCVE number: CVE-2018-13981, CVE-2018-13980 \nimpact: critical \nhomepage: https://www.zeta-producer.com \nfound: 2017-11-25 \nby: P. Morimoto (Office Bangkok) \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"With Zeta Producer, the website builder and online shop system for Windows, \nyou can create and manage your website locally, on your computer. \nGet without expertise in 3 steps to your own homepage: select design, \npaste content, publish website. Finished.\" \n \nSource: https://www.zeta-producer.com/de/index.html \n \n \nBusiness recommendation: \n------------------------ \nThe vendor provides a patched version which should be installed immediately. \n \nUsers of the product also need to verify that the affected widgets are updated in \nthe corresponding website project! It could be necessary to rebuild the whole project \nor copy the new widgets to the website projects. For further information consult the \nvendor. \n \nFurthermore, an in-depth security analysis is highly advised, as the software may be \naffected from further security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \n1) Remote Code Execution (CVE-2018-13981) \nThe email contact functionality of the widget \"formmailer\" can upload files \nto the server but if the user uploads a PHP script with a .php extension \nthen the server will rename it to .phps to prevent PHP code execution. \n \nHowever, the attacker can upload .php5 or .phtml to the server without any \nrestriction. These alternative file extensions can be executed as PHP code. \n \nFurthermore, the server will create a folder to store the files, with a \nrandom name using PHP's \"uniqid\" function. \n \nUnfortunately, if the server permits directory listing, the attacker \ncan easily browse to the uploaded PHP script. If no directory listing is \nenabled the attacker can still bruteforce the random name to gain remote \ncode execution via the PHP script as well. Testing on a local server it \ntook about 20 seconds to brute force the random name. This attack will \nbe slower over the Internet but it is still feasible. \n \nAlso, if the user runs the Zeta Producer Desktop CMS GUI client locally, \nthey are also vulnerable because the web server will be running on TCP port 9153. \n \nThe root cause is in the widget \"formmailer\" which is enabled by default. \nThe following files are affected: \n- /assets/php/formmailer/SendEmail.php \n- /assets/php/formmailer/functions.php \n \n \n2) Local File Disclosure (CVE-2018-13980) \nIf the user enables the widget \"filebrowser\" on Zeta Producer Desktop CMS an \nunauthenticated attacker can read local files by exploiting path traversal issues. \n \nThe following files are affected: \n- /assets/php/filebrowser/filebrowser.main.php \n \n \nProof of concept: \n----------------- \n1) Remote Code Execution (CVE-2018-13981) \nThe following python script can be used to exploit the chain of vulnerabilities. \n[.. code has been removed to prevent misuses ..] \n \nWhen the script is executed, a PHP script (shell) will be uploaded automatically. \n# $ python exploit.py \n# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php \n# \n# 5a1a5bc991afe \n# 5a1a5bc99453a \n# 10812 \n# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5 \n# uid=33(www-data) gid=33(www-data) groups=33(www-data) \n \n \n2) Local File Disclosure (CVE-2018-13980) \nThe parameter \"file\" in the \"filebrowser.main.php\" script can be exploited to read \narbitrary files from the OS with the privileges of the web server user. \nAny unauthenticated user can exploit this issue! \n \nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download \nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list \n \n \nVulnerable / tested versions: \n----------------------------- \nThe following versions have been tested which were the latest version available \nat the time of the test: \n \nZeta Producer Desktop CMS 14.1.0 \nZeta Producer Desktop CMS 14.2.0 \n \nSource: \n- https://www.zeta-producer.com/de/download.html \n- https://github.com/ZetaSoftware/zeta-producer-content/ \n \n \nVendor contact timeline: \n------------------------ \n2017-11-29: Contacting vendor through info@zeta-producer.com and various other \nemail addresses from the website. No reply. \n2017-12-13: Contacting vendor again, extending email address list, no reply \n2018-01-09: Contacting vendor again \n2018-01-10: Vendor replies, requests transmission of security advisory \n2018-01-10: Sending unencrypted security advisory \n2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed \nthe reported vulnerabilities. \n2018-07-12: Public advisory release. \n \n \nSolution: \n--------- \nUpgrade to version 14.2.1 or newer. See the vendor's download page: \n \nhttps://www.zeta-producer.com/de/download.html \n \nUsers of the product also need to verify that the affected widgets are updated in \nthe corresponding website project! It could be necessary to rebuild the whole project \nor copy the new widgets to the website projects. For further information consult the \nvendor. \n \n \nWorkaround: \n----------- \nRemove \"formmailer\" and \"filebrowser\" widgets. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF P. Morimoto / @2018 \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148537/SA-20180712-0.txt"}], "zdt": [{"lastseen": "2018-07-13T03:59:41", "description": "Zeta Producer Desktop CMS versions 14.2.0 and below suffers from code execution and file disclosure vulnerabilities.", "edition": 1, "published": "2018-07-13T00:00:00", "title": "Zeta Producer Desktop CMS 14.2.0 Code Execution / File Disclosure Vulnerabilities", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13980", "CVE-2018-13981"], "modified": "2018-07-13T00:00:00", "id": "1337DAY-ID-30711", "href": "https://0day.today/exploit/description/30711", "sourceData": "=======================================================================\r\n title: Remote Code Execution & Local File Disclosure\r\n product: Zeta Producer Desktop CMS\r\n vulnerable version: <=14.2.0\r\n fixed version: >=14.2.1\r\n CVE number: CVE-2018-13981, CVE-2018-13980\r\n impact: critical\r\n homepage: https://www.zeta-producer.com\r\n found: 2017-11-25\r\n by: P. Morimoto (Office Bangkok)\r\n SEC Consult Vulnerability Lab \r\n\r\n An integrated part of SEC Consult\r\n Europe | Asia | North America\r\n\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\n\"With Zeta Producer, the website builder and online shop system for Windows, \r\nyou can create and manage your website locally, on your computer. \r\nGet without expertise in 3 steps to your own homepage: select design, \r\npaste content, publish website. Finished.\"\r\n\r\nSource: https://www.zeta-producer.com/de/index.html\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nThe vendor provides a patched version which should be installed immediately.\r\n\r\nUsers of the product also need to verify that the affected widgets are updated in\r\nthe corresponding website project! It could be necessary to rebuild the whole project\r\nor copy the new widgets to the website projects. For further information consult the\r\nvendor.\r\n\r\nFurthermore, an in-depth security analysis is highly advised, as the software may be\r\naffected from further security issues.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Remote Code Execution (CVE-2018-13981)\r\nThe email contact functionality of the widget \"formmailer\" can upload files\r\nto the server but if the user uploads a PHP script with a .php extension \r\nthen the server will rename it to .phps to prevent PHP code execution.\r\n\r\nHowever, the attacker can upload .php5 or .phtml to the server without any \r\nrestriction. These alternative file extensions can be executed as PHP code. \r\n\r\nFurthermore, the server will create a folder to store the files, with a\r\nrandom name using PHP's \"uniqid\" function.\r\n\r\nUnfortunately, if the server permits directory listing, the attacker\r\ncan easily browse to the uploaded PHP script. If no directory listing is \r\nenabled the attacker can still bruteforce the random name to gain remote \r\ncode execution via the PHP script as well. Testing on a local server it \r\ntook about 20 seconds to brute force the random name. This attack will \r\nbe slower over the Internet but it is still feasible.\r\n\r\nAlso, if the user runs the Zeta Producer Desktop CMS GUI client locally,\r\nthey are also vulnerable because the web server will be running on TCP port 9153.\r\n\r\nThe root cause is in the widget \"formmailer\" which is enabled by default.\r\nThe following files are affected:\r\n- /assets/php/formmailer/SendEmail.php\r\n- /assets/php/formmailer/functions.php\r\n\r\n\r\n2) Local File Disclosure (CVE-2018-13980)\r\nIf the user enables the widget \"filebrowser\" on Zeta Producer Desktop CMS an \r\nunauthenticated attacker can read local files by exploiting path traversal issues. \r\n\r\nThe following files are affected:\r\n- /assets/php/filebrowser/filebrowser.main.php\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Remote Code Execution (CVE-2018-13981)\r\nThe following python script can be used to exploit the chain of vulnerabilities.\r\n[.. code has been removed to prevent misuses ..]\r\n\r\nWhen the script is executed, a PHP script (shell) will be uploaded automatically.\r\n# $ python exploit.py\r\n# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php\r\n#\r\n# 5a1a5bc991afe\r\n# 5a1a5bc99453a\r\n# 10812\r\n# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\n\r\n2) Local File Disclosure (CVE-2018-13980)\r\nThe parameter \"file\" in the \"filebrowser.main.php\" script can be exploited to read\r\narbitrary files from the OS with the privileges of the web server user.\r\nAny unauthenticated user can exploit this issue!\r\n\r\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download\r\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe following versions have been tested which were the latest version available \r\nat the time of the test:\r\n\r\nZeta Producer Desktop CMS 14.1.0\r\nZeta Producer Desktop CMS 14.2.0\r\n\r\nSource: \r\n- https://www.zeta-producer.com/de/download.html\r\n- https://github.com/ZetaSoftware/zeta-producer-content/\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2017-11-29: Contacting vendor through [email\u00a0protected] and various other\r\n email addresses from the website. No reply.\r\n2017-12-13: Contacting vendor again, extending email address list, no reply\r\n2018-01-09: Contacting vendor again\r\n2018-01-10: Vendor replies, requests transmission of security advisory\r\n2018-01-10: Sending unencrypted security advisory\r\n2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed\r\n the reported vulnerabilities.\r\n2018-07-12: Public advisory release.\r\n\r\n\r\nSolution:\r\n---------\r\nUpgrade to version 14.2.1 or newer. See the vendor's download page:\r\n\r\nhttps://www.zeta-producer.com/de/download.html\r\n\r\nUsers of the product also need to verify that the affected widgets are updated in\r\nthe corresponding website project! It could be necessary to rebuild the whole project\r\nor copy the new widgets to the website projects. For further information consult the\r\nvendor.\r\n\r\n\r\nWorkaround:\r\n-----------\r\nRemove \"formmailer\" and \"filebrowser\" widgets.\n\n# 0day.today [2018-07-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30711"}], "exploitpack": [{"lastseen": "2020-04-01T19:05:38", "description": "\nZeta Producer Desktop CMS 14.2.0 - Remote Code Execution Local File Disclosure", "edition": 1, "published": "2018-07-13T00:00:00", "title": "Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution Local File Disclosure", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-13980", "CVE-2018-13981"], "modified": "2018-07-13T00:00:00", "id": "EXPLOITPACK:AFBBCEDCBE9D87DBF4EA99F15DD00DE5", "href": "", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >\n=======================================================================\n title: Remote Code Execution & Local File Disclosure\n product: Zeta Producer Desktop CMS\n vulnerable version: <=14.2.0\n fixed version: >=14.2.1\n CVE number: CVE-2018-13981, CVE-2018-13980\n impact: critical\n homepage: https://www.zeta-producer.com\n found: 2017-11-25\n by: P. Morimoto (Office Bangkok)\n SEC Consult Vulnerability Lab \n\n An integrated part of SEC Consult\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"With Zeta Producer, the website builder and online shop system for Windows, \nyou can create and manage your website locally, on your computer. \nGet without expertise in 3 steps to your own homepage: select design, \npaste content, publish website. Finished.\"\n\nSource: https://www.zeta-producer.com/de/index.html\n\n\nBusiness recommendation:\n------------------------\nThe vendor provides a patched version which should be installed immediately.\n\nUsers of the product also need to verify that the affected widgets are updated in\nthe corresponding website project! It could be necessary to rebuild the whole project\nor copy the new widgets to the website projects. For further information consult the\nvendor.\n\nFurthermore, an in-depth security analysis is highly advised, as the software may be\naffected from further security issues.\n\n\nVulnerability overview/description:\n-----------------------------------\n1) Remote Code Execution (CVE-2018-13981)\nThe email contact functionality of the widget \"formmailer\" can upload files\nto the server but if the user uploads a PHP script with a .php extension \nthen the server will rename it to .phps to prevent PHP code execution.\n\nHowever, the attacker can upload .php5 or .phtml to the server without any \nrestriction. These alternative file extensions can be executed as PHP code. \n\nFurthermore, the server will create a folder to store the files, with a\nrandom name using PHP's \"uniqid\" function.\n\nUnfortunately, if the server permits directory listing, the attacker\ncan easily browse to the uploaded PHP script. If no directory listing is \nenabled the attacker can still bruteforce the random name to gain remote \ncode execution via the PHP script as well. Testing on a local server it \ntook about 20 seconds to brute force the random name. This attack will \nbe slower over the Internet but it is still feasible.\n\nAlso, if the user runs the Zeta Producer Desktop CMS GUI client locally,\nthey are also vulnerable because the web server will be running on TCP port 9153.\n\nThe root cause is in the widget \"formmailer\" which is enabled by default.\nThe following files are affected:\n- /assets/php/formmailer/SendEmail.php\n- /assets/php/formmailer/functions.php\n\n\n2) Local File Disclosure (CVE-2018-13980)\nIf the user enables the widget \"filebrowser\" on Zeta Producer Desktop CMS an \nunauthenticated attacker can read local files by exploiting path traversal issues. \n\nThe following files are affected:\n- /assets/php/filebrowser/filebrowser.main.php\n\n\nProof of concept:\n-----------------\n1) Remote Code Execution (CVE-2018-13981)\nThe following python script can be used to exploit the chain of vulnerabilities.\n[.. code has been removed to prevent misuses ..]\n\nWhen the script is executed, a PHP script (shell) will be uploaded automatically.\n# $ python exploit.py\n# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php\n#\n# 5a1a5bc991afe\n# 5a1a5bc99453a\n# 10812\n# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\n\n\n2) Local File Disclosure (CVE-2018-13980)\nThe parameter \"file\" in the \"filebrowser.main.php\" script can be exploited to read\narbitrary files from the OS with the privileges of the web server user.\nAny unauthenticated user can exploit this issue!\n\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download\nhttp://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following versions have been tested which were the latest version available \nat the time of the test:\n\nZeta Producer Desktop CMS 14.1.0\nZeta Producer Desktop CMS 14.2.0\n\nSource: \n- https://www.zeta-producer.com/de/download.html\n- https://github.com/ZetaSoftware/zeta-producer-content/\n\n\nVendor contact timeline:\n------------------------\n2017-11-29: Contacting vendor through info@zeta-producer.com and various other\n email addresses from the website. No reply.\n2017-12-13: Contacting vendor again, extending email address list, no reply\n2018-01-09: Contacting vendor again\n2018-01-10: Vendor replies, requests transmission of security advisory\n2018-01-10: Sending unencrypted security advisory\n2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed\n the reported vulnerabilities.\n2018-07-12: Public advisory release.\n\n\nSolution:\n---------\nUpgrade to version 14.2.1 or newer. See the vendor's download page:\n\nhttps://www.zeta-producer.com/de/download.html\n\nUsers of the product also need to verify that the affected widgets are updated in\nthe corresponding website project! It could be necessary to rebuild the whole project\nor copy the new widgets to the website projects. For further information consult the\nvendor.\n\n\nWorkaround:\n-----------\nRemove \"formmailer\" and \"filebrowser\" widgets.\n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
