Croogo 2.0.0 Arbitrary PHP Code Execution Exploit

2014-10-12T00:00:00
ID ZSL-2014-5202
Type zeroscience
Reporter Gjoko Krstic
Modified 2014-10-12T00:00:00

Description

Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
Advisory ID: ZSL-2014-5202
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 12.10.2014

Summary

Croogo is a free, open source, content management system for PHP, released under The MIT License. It is powered by CakePHP MVC framework.

Description

Croogo suffers from an authenticated arbitrary PHP code execution. The vulnerability is caused due to the improper verification of uploaded files in '/admin/file_manager/attachments/add' script thru the 'data[Attachment][file]' POST parameter and in '/admin/file_manager/file_manager/upload' script thru the 'data[FileManager][file]' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/webroot/uploads/' directory.

Vendor

Fahad Ibnay Heylaal - <http://www.croogo.org>

Affected Version

2.0.0

Tested On

Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14

Vendor Status

[26.07.2014] Vulnerability discovered.
[27.07.2014] Vendor contacted.
[27.07.2014] Vendor responds asking more details.
[27.07.2014] Sent details to the vendor.
[28.07.2014] Vendor confirms the issues promising patch.
[04.08.2014] Working with the vendor.
[07.08.2014] Fix developed.
[02.09.2014] Vendor releases version 2.1.0 to address these issues.
[12.10.2014] Coordinated public security advisory released.

PoC

croogo_rce.py

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://blog.croogo.org/blog/croogo-210-released>
[2] <http://www.exploit-db.com/exploits/34958/>
[3] <http://osvdb.org/show/osvdb/113108>
[4] <http://osvdb.org/show/osvdb/113112>
[5] <http://packetstormsecurity.com/files/128640>
[6] <http://cxsecurity.com/issue/WLB-2014100075>
[7] <http://www.securityfocus.com/bid/70411>
[8] <http://xforce.iss.net/xforce/xfdb/96990>

Changelog

[12.10.2014] - Initial release
[14.10.2014] - Added reference [2], [3], [4], [5], [6] and [7]
[20.10.2014] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;