ID PACKETSTORM:161764 Type packetstorm Reporter Wolfgang Hotwagner Modified 2021-03-12T00:00:00
Description
`ForkCMS PHP Object Injection
=========================
| Identifier: | AIT-SA-20210215-04 |
| Target: | ForkCMS |
| Vendor: | ForkCMS |
| Version: | all versions below version 5.8.3 |
| CVE: | CVE-2020-24036 |
| Accessibility: | Remote |
| Severity: | Medium |
| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) |
SUMMARY
=========
[ForkCMS is an open source cms written in PHP.](https://www.fork-cms.com/)
VULNERABILITY DESCRIPTION
========================
PHP object injection in the Ajax-endpoint of the backend in ForkCMS below version 5.8.3 allows authenticated remote user to execute malicious code.
The ajax-callbacks for the backend use unserialize without restrictions or any validations. An authenticated user could abuse this to inject malicious PHP-Objects which could lead to remote code execution:
```
<?php
namespace Backend\Core\Ajax;
use Backend\Core\Engine\Base\AjaxAction as BackendBaseAJAXAction;
use Symfony\Component\HttpFoundation\Response;
/**
* This action will generate a valid url based upon the submitted url.
*/
class GenerateUrl extends BackendBaseAJAXAction
{
public function execute(): void
{
// call parent, this will probably add some general CSS/JS or other required files
parent::execute();
// get parameters
$url = $this->getRequest()->request->get('url', '');
$className = $this->getRequest()->request->get('className', '');
$methodName = $this->getRequest()->request->get('methodName', '');
$parameters = $this->getRequest()->request->get('parameters', '');
// cleanup values
$parameters = unserialize($parameters); // $B"+(B VULNERABLE CODE
// fetch generated meta url
$url = urldecode($this->get('fork.repository.meta')->generateUrl($url, $className, $methodName, $parameters));
// output
$this->output(Response::HTTP_OK, $url);
}
}
```
PROOF OF CONCEPT
=================
In order to exploit this vulnerability, an attacker has to be authenticated with least privileges. We tested this exploit with $B!H(BDashboard$B!I(B permissions.
For demonstration purposes we created a proof of concept exploit that deletes files and directories from the webserver. With more effort an attacker might also find a payload for executing a webshell. There are many gadgets available in the vendor directory for potential payloads.
The object-injection code for generating a payload might look as following:
```
'O:27:"Swift_KeyCache_DiskKeyCache":1:{s:4:"keys";a:1:{s:%d:"%s";a:1:{s:%d:"%s";s:9:"something";}}}' % (len(filepath),filepath,len(deletefile),deletefile)
```
VULNERABLE VERSIONS
===================
All versions including 5.8.1 are affected.
TESTED VERSIONS
===============
ForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1)
IMPACT
======
An authenticated user with minimal privileges could execute malicious code.
MITIGATION
==========
Fork-5.8.3 fixed that issue
VENDOR CONTACT TIMELINE
========================
| 2020-05-01 | Contacting the vendor |
| 2020-06-08 | Vendor replied |
| 2020-07-07 | Vendor released an updated version |
| 2021-02-15 | Public disclosure |
ADVISORY URL
============
[https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms](https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms)
`
{"id": "PACKETSTORM:161764", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ForkCMS PHP Object Injection", "description": "", "published": "2021-03-12T00:00:00", "modified": "2021-03-12T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/161764/ForkCMS-PHP-Object-Injection.html", "reporter": "Wolfgang Hotwagner", "references": [], "cvelist": ["CVE-2020-24036"], "lastseen": "2021-03-12T16:17:14", "viewCount": 50, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-24036"]}], "modified": "2021-03-12T16:17:14", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2021-03-12T16:17:14", "rev": 2}, "vulnersScore": 6.2}, "sourceHref": "https://packetstormsecurity.com/files/download/161764/AIT-SA-20210215-04.txt", "sourceData": "`ForkCMS PHP Object Injection \n========================= \n| Identifier: | AIT-SA-20210215-04 | \n| Target: | ForkCMS | \n| Vendor: | ForkCMS | \n| Version: | all versions below version 5.8.3 | \n| CVE: | CVE-2020-24036 | \n| Accessibility: | Remote | \n| Severity: | Medium | \n| Author: | Wolfgang Hotwagner (AIT Austrian Institute of Technology) | \n \nSUMMARY \n========= \n[ForkCMS is an open source cms written in PHP.](https://www.fork-cms.com/) \n \nVULNERABILITY DESCRIPTION \n======================== \nPHP object injection in the Ajax-endpoint of the backend in ForkCMS below version 5.8.3 allows authenticated remote user to execute malicious code. \n \nThe ajax-callbacks for the backend use unserialize without restrictions or any validations. An authenticated user could abuse this to inject malicious PHP-Objects which could lead to remote code execution: \n \n``` \n<?php \n \nnamespace Backend\\Core\\Ajax; \n \nuse Backend\\Core\\Engine\\Base\\AjaxAction as BackendBaseAJAXAction; \n \nuse Symfony\\Component\\HttpFoundation\\Response; \n \n/** \n \n* This action will generate a valid url based upon the submitted url. \n \n*/ \n \nclass GenerateUrl extends BackendBaseAJAXAction \n \n{ \n \npublic function execute(): void \n \n{ \n \n// call parent, this will probably add some general CSS/JS or other required files \n \nparent::execute(); \n \n// get parameters \n \n$url = $this->getRequest()->request->get('url', ''); \n \n$className = $this->getRequest()->request->get('className', ''); \n \n$methodName = $this->getRequest()->request->get('methodName', ''); \n \n$parameters = $this->getRequest()->request->get('parameters', ''); \n \n// cleanup values \n \n$parameters = unserialize($parameters); // $B\"+(B VULNERABLE CODE \n \n// fetch generated meta url \n \n$url = urldecode($this->get('fork.repository.meta')->generateUrl($url, $className, $methodName, $parameters)); \n \n// output \n \n$this->output(Response::HTTP_OK, $url); \n \n} \n \n} \n``` \n \nPROOF OF CONCEPT \n================= \nIn order to exploit this vulnerability, an attacker has to be authenticated with least privileges. We tested this exploit with $B!H(BDashboard$B!I(B permissions. \n \nFor demonstration purposes we created a proof of concept exploit that deletes files and directories from the webserver. With more effort an attacker might also find a payload for executing a webshell. There are many gadgets available in the vendor directory for potential payloads. \n \nThe object-injection code for generating a payload might look as following: \n \n``` \n'O:27:\"Swift_KeyCache_DiskKeyCache\":1:{s:4:\"keys\";a:1:{s:%d:\"%s\";a:1:{s:%d:\"%s\";s:9:\"something\";}}}' % (len(filepath),filepath,len(deletefile),deletefile) \n``` \n \nVULNERABLE VERSIONS \n=================== \nAll versions including 5.8.1 are affected. \n \nTESTED VERSIONS \n=============== \nForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1) \n \nIMPACT \n====== \nAn authenticated user with minimal privileges could execute malicious code. \n \n \nMITIGATION \n========== \nFork-5.8.3 fixed that issue \n \nVENDOR CONTACT TIMELINE \n======================== \n| 2020-05-01 | Contacting the vendor | \n| 2020-06-08 | Vendor replied | \n| 2020-07-07 | Vendor released an updated version | \n| 2021-02-15 | Public disclosure | \n \nADVISORY URL \n============ \n[https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms](https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms) \n \n \n`\n", "immutableFields": []}
