FUN WITH LINUX

ForkCMS PHP Object Injection (CVE-2020-24036)

2 March 2021

Identifier: AIT-SA-20210215-04
Target: ForkCMS
Vendor: ForkCMS
Version: all versions below version 5.8.3
CVE: CVE-2020-24036
Accessibility: Remote
Severity: Medium
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

ForkCMS is an open source cms written in PHP.

Vulnerability Description

PHP object injection in the Ajax-endpoint of the backend in ForkCMS below version 5.8.3 allows authenticated remote user to execute malicious code.

The ajax-callbacks for the backend use unserialize without restrictions or any validations. An authenticated user could abuse this to inject malicious PHP-Objects which could lead to remote code execution:

<?php

namespace Backend\Core\Ajax;

use Backend\Core\Engine\Base\AjaxAction as BackendBaseAJAXAction;

use Symfony\Component\HttpFoundation\Response;

/**

 * This action will generate a valid url based upon the submitted url.

 */

class GenerateUrl extends BackendBaseAJAXAction

{

    public function execute(): void

    {

        // call parent, this will probably add some general CSS/JS or other required files

        parent::execute();

        // get parameters

        $url = $this->getRequest()->request->get('url', '');

        $className = $this->getRequest()->request->get('className', '');

        $methodName = $this->getRequest()->request->get('methodName', '');

        $parameters = $this->getRequest()->request->get('parameters', '');

        // cleanup values

        $parameters = unserialize($parameters); // ← VULNERABLE CODE

        // fetch generated meta url

        $url = urldecode($this->get('fork.repository.meta')->generateUrl($url, $className, $methodName, $parameters));

        // output

        $this->output(Response::HTTP_OK, $url);

    }

}

Proof Of Concept

In order to exploit this vulnerability, an attacker has to be authenticated with least privileges. We tested this exploit with “Dashboard” permissions:

For demonstration purposes we created a proof of concept exploit that deletes files and directories from the webserver. With a little bit more effort an attacker might also find a payload for executing a webshell. There are many gadgets available in the vendor directory.

The object-injection code for generating a payload might look as following:

'O:27:"Swift_KeyCache_DiskKeyCache":1:{s:4:"keys";a:1:{s:%d:"%s";a:1:{s:%d:"%s";s:9:"something";}}}' % (len(filepath),filepath,len(deletefile),deletefile)

First we created a file with proper permissions on the webserver that the exploit should delete later:

After that we can execute our exploit:

As we can see next, the file was deleted successfully:

Vulnerable Versions

All versions including 5.8.1 are affected.

Tested Versions

ForkCMS 5.8.1 (with Debian 10 and PHP 7.3.14-1)

Impact

An authenticated user with minimal privileges could execute malicious code.

Mitigation

Fork-5.8.3 fixed that issue

Vendor Contact Timeline

2020-05-01 Contacting the vendor
2020-06-08 Vendor replied
2020-07-07 Vendor released an updated version
2021-02-15 Public disclosure

Advisory URL

https://www.ait.ac.at/ait-sa-20210215-04-poi-forkcms

[ PHP  Programming  Web  Security  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti