what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Anchor CMS PHP Object Injection

Anchor CMS PHP Object Injection
Posted Aug 27, 2015
Authored by Scott Arciszewski

Anchor CMS suffers from a PHP object injection vulnerability.

tags | advisory, php
advisories | CVE-2015-5687
SHA-256 | 01360b0ef87b8be3a5a7368eac27d098cc885b14e087ad44e9eb0a5154ed8a8b

Anchor CMS PHP Object Injection

Change Mirror Download
In the near future on an IRC server near you:

> <user1> Hey, what's the best command line tool for verifying that my copy of AnchorCMS 0.9.x is secure?
> <user2> rm

CVE-2015-5687 (PHP Object Injection in AnchorCMS)
=================================================

Out of the box, AnchorCMS defaults to store all session state in a
cookie (contrast this with only storing a unique identifier in a
cookie which references a server-side storage mechanism, such as a
temporary file or a database row).

Aside: If you have paid attention to my past work with Laravel,
CodeIgniter, and Kohana, you probably already know how this story
ends. This finding is so much worse than anything I've found in any of
those three.

Generally, when a framework or CMS decides to go down the "cookie
session driver" route, they do so knowing that end users have complete
control over the contents of the cookie. Fortunately, there's a
cryptographic tool that allows them to do this almost safely: a
Message Authentication Code.

The first mistake the AnchorCMS cookie session driver made was,
instead of using a MAC (e.g. hash_hmac('sha256', $cookie_data,
$some_key)), they just used an MD5 hash.

https://github.com/paragonie/anchor-cms/blob/1207ab1b656bc5687bc2d2d6f57e6c4d0ca7d15f/system/session/drivers/cookie.php#L19-L35

The second mistake the AnchorCMS cookie session driver made was the
same one almost every other cookie session driver ever written in PHP
makes: It uses unserialize() on user-provided data. Normally this
isn't exploitable, because a MAC cannot be forged without the
server-side authentication key or a timing side-channel on the MAC
verification. But as we just said, they just prepend an MD5 hash and
use that as an authentication mechanism.

Both mistakes, combined, make this a remotely exploitable PHP object
injection vulnerability. Combine that with some of the recent CVEs for
memory corruption in unserialize() and the fact that AnchorCMS
officially supports EOL'd versions of PHP which do not have these
memory corruptions fixed, we potentially have a wormable remote
exploit on any server running AnchorCMS on the Internet. Wonderful.

Weak PRNG used in security contexts
===================================

During the course of writing a patch to migrate the cookie session
driver to HMAC-SHA-256 with constant-time MAC comparison, we
discovered that they did not at any point expose or use a CSPRNG (not
even in the salt generation of their bcrypt implementation).

Instead, they relied on str_shuffle().

https://github.com/paragonie/anchor-cms/blob/07933dbc7939326bb4973827a0934d1a610851d1/system/helpers.php#L55-L59
https://github.com/paragonie/anchor-cms/blob/66581e5969029e7b6dfddfe3326bb9f15f27b859/anchor/libraries/hash.php#L15

We have not explored the full potential of the exploitability of this
issue (why brute force a 32-bit keyspace when you already have the
potential to get a remote shell?), but needless to say we did not use
this PRNG for generating a session authentication key in our patch.

--------------------------------

Both of the issues reported above would be patched if this pull
request was reviewed by their team and merged.
https://github.com/anchorcms/anchor-cms/pull/904

It has been 30 days since I wrote the patch and sent the above pull
request. The timeline (sans the Github notifications that the
AnchorCMS team would have received every time I or someone else
commented on this pull request) looks like this.

* 2015-07-28
Initial discovery, contacted team on Gitter, instructed to send a PR,
and we did so.

* 2015-08-11
After radio silence from the AnchorCMS devs, I reached out to Craig
Childs who responded the same day. "Thanks for pointing this out to
me, I understand it’s serious and I’ll look into it as soon as I can."

* 2015-08-27
We've reached the 30 day mark without the security issues being resolved.
Furthermore, Paragon Initiative Enterprises has not received any request
for more time for their team to review the patch. (Note: For most issues,
we won't delay past 30 days without remediation.)

Looking at the above issues, it may surprise you to hear that
AnchorCMS is not an obscure relic of a forgotten age; it has almost
2500 stars and over 400 forks on Github.

The best advice I can offer anyone is to uninstall AnchorCMS from
their servers. These are just the issues that I could find; there is
undoubtedly many more that are just as bad.

In publishing this, we hope that the AnchorCMS development team is
able to wake up and reconnect with the community, and more importantly
that the community is willing to help them fix the myriad of security
vulnerabilities that probably lurk beneath the surface.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close