We have scanned one of the latest versions of BigTree CMS 4.4.6 and detected multiple vulnerabilities. Among them is a SQL Injection vulnerability and a Phar Deserialization vulnerability leading to a Remote Code Execution in the small web application.
The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available.
Chaining SQL Injection and XSS
BigTree CMS suffers from a plain SQL Injection which can be exploited in the dashboard. An unsanitized parameter allows overriding the
Table property, enabling the manipulation of the underlying SQL syntax to extract arbitrary sensitive information from the database. The web application then continues to print all the data retrieved through the SQL query and returns it to the authenticated administrator.
Since BigTree does not make use of any CSRF tokens here, the vulnerability can be exploited through CSRF. A Second Order Cross-Site Scripting vulnerability can then be used to smuggle the data out to an external Server. In the following we will see the entry point to the vulnerability:
On line 6 the user input is received through the
form parameter and stored in the
$form variable. Its value is then assigned to the
$m->Table property of the
BigTreeModule instance. Finally the
get() method is invoked on the object which launches a SQL query on line 10. This method is embedding the user input of the
$item variable safely and embedding the tainted
Table property unsafely.
The data can then be smuggled out by exploiting a Cross-Site Scripting vulnerability. To achieve this, the attacker must control the values of the
$item array returned by the SQL query to start with the string “http”. This causes the control flow to branch into the program block which processes links automatically, starting on line 19 of the following source code.
For each potential link, the program will send a web request via the
urlExists() method. If the request fails, the data is added to the error array
$integrity_errors on line 22. The values of this array are printed unsanitized in a
foreach loop on line 30 leading to the output of our SQL Injection directly next to our Cross-Site Scripting payload extracting the data to an external server. Although its usually tricky to exploit a SQL Injection via CSRF as seen here, we can in this case make use of the Cross-Site Scripting vulnerability to smuggle out the results easily with an AJAX request.
Phar Deserialization via CURL wrapper
Curls CLI file feature allows to upload files from the file system by prepending the filename with an
@ symbol. Adding the curl option
-d param=@/path/to/filename in the curl CLI would comfortably upload the contents of the specified filename to the target server. BigTree developed its own curl wrapper function
BigTree::cURL() to implement this feature.
The method receives data to be send in the HTTP body as the second argument
$post of the static method. On line 268 it iterates over the array and checks the values for an
@ character which is potentially suffixed with a filename. This filename is used as an argument to
file_exists() on line 270 before adding the contents of the file to the curl request, leading to a Phar Deserialization vulnerability if we have control over a value of the
$post array. This assumption is true for the URL
http://<host>/bigtree446/site/index.php/admin/developer/services/instagram/return/?code=@phar://myphar.phar which routes an authenticated backend user directly to the following entry point:
The user input stored in the
code parameter is passed as the
$code argument to the
oAuthSetToken() method. This forwards the value directly into the
BigTree::cURL() wrapper from above, leading to the Phar Deserialization vulnerability.
To exploit this vulnerability, a file must be uploaded. This can only be achieved by correctly posting a CSRF token. However, this CSRF token can be stolen by exploiting the Cross-Site Scripting vulnerability from above, and stealing the token. This will enable a file upload which can be used in the Phar Deserialization process.
In this blog post we have seen that sanitizing every parameter by hand is a tedious and dangerous method to secure your application. Sophisticated attackers can chain multiple exploits to launch a successful targeted attack with high impact. It is recommended to invest time to develop and make use of centralized security module which will bundle sanitization and database preparation. Automated security testing can assist in the process of detecting vulnerable leftovers of legacy code when retroactively implementing security features. The RIPS scanner detected the issues within 7 minutes scan time. Especially the beginning of a file path should not be in control of an attacker to deny exploitation via arbitrary PHP filters like the
|10/15/19||Vulnerability details send for BigTree 4.4.6|
|10/15/19||Vendor acknowledged and confirmed issue|
|10/15/19||Vendor released BigTree 4.4.7 patching the issue|