Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Snuffleupagus versus recent high-profile vulnerabilities, again!
Sat 04 July 2020 — download

Last July, I published a blog post summarising how Snuffleupagus was doing against high-profile web vulnerabilities, and the conclusion was:

It seems that Snuffleupagus is doing a decent job!

Time to see if it's still the case one year later.

ImpressCMS 1.3.11 — SQL injection

Sebastian Fabry from RIPS found a SQL injection in ImpressCMS. But since the SQL protection feature isn't publicly available, Snuffleupagus doesn't do anything against them.

A possible way to harden the application without disrupting anything would be to write a rule to check if `$_SERVER['PHP_SELF'] doesn't contain quotes.

WordPress <= 5.2.3: Hardening Bypass

Simon Scannell from RIPS found a bypass of some hardneing-fu in Wordpress boiling down to an LFI, so it's mitigated by the file upload check, and depending of the configuration, it might also be prevented by W^X.

BigTree 4.4.6 — SQLI

Robin Peraglie from RIPS found a couple of issues in BigTree CMS: chaining a CSRF, to exploit an SQL injection, and exfiltrating the data via an XSS. There is also a phar-deserialization RCE.

The CSRF is prevented by samesite attribute, while the SQLI and XSS aren't mitigated. The phar-deserialization is killed by the stream wrapper whitelist.

SuiteCRM — CSRF to SQLI to RCE — CVE-2019-12598 and CVE-2019-12601

Robin Peraglie from RIPS disclosed a couple of critical vulnerabilities in SuiteCRM. The CSRF is prevented by samesite attribute, while the SQLI isn't. The RCE is based on an unserialize, mitigated by the HMAC-for-unserialize option.

TYPO3 — XSS to RCE

Robin Peraglie from RIPS disclosed an XSS to RCE in TYPO3. The XSS isn't mitigated by snuffleupagus, but since the RCE is based on an unserialize, it's mitigated by the HMAC-for-unserialize option.

Pimcore 6.2.0 — RCE, SQLI and CSRF

Robin Peraglie from RIPS found a couple of issues in Pimcore:

  • A command injection, complicated and maybe mitigated against casual attackers by the default ruleset
  • A couple of SQL injections, not mitigated by the public version of Snuffleupagus
  • Absence of anti-CSRF mecanism, mitigated by the SameSite cookie attribute

WooCommerce 3.6.4 - CSRF to XSS

Dennis Brinkrolf of RIPS found a CSRF in Woocommerce, leading to an XSS, meaning RCE since this is wordpress.

The CSRF is mitigated by Samesite, killing the XSS as well since it's a self one.

Prestashop 1.7.6.4 — CSRF to XSS to RCE

Sivanesh Ashok reported in April 2020 a CSRF-to-XSS-to-RCE in Prestashop.

The CSRF is prevented by samesite attribute. The XSS isn't mitigated by Snuffleupagus, but should be blocked by any reasonable CSP policy: nobody should allow executin javascript from within svg. And the RCE is like in Wordpress, a feature: admins can upload themes written in PHP. Interestingly, this is neither caught by the file-upload-checking because the themes are zip files, nor by W^X because an attacker can always mark the php files in the zip file as read-only.

Unraid 6.8.0 — RCE — CVE-2020-5847 and CVE-2020-5849

Sysdream found an authentication bypass as well as a remote code execution in Unraid around January 2020.

The auth bypass is based on a logic flaw, and can't be mitigated in a generic way. The RCE however, is due to the usage of extract($_GET);, which is now mitigated by the default rules set, albeit to be fair, this function should never be used, especially with such stupid default values, but well, it's php, so, yeah, … Amusingly, php's documentation is lying about the name of the function's parameters, which should be int extract(array var_array [, int extract_type [, string prefix]]) instead. As a side note, why the fuck is Unraid running php scripts as root‽

Netsweeper's webadmin 6.4.3 — RCE

An "independent Security Researcher" found an unauthenticated remote code execution in Netsweeper's webadmin vulnerability, based on a shell injection. Which should be mitigated by the default ruleset.

Roundcube 1.4.3 — XSS

Roundcube fixed an XSS, present thanks to a logic bug. There is nothing Snuffleupagus can do against those, but it's trivial to write a rule to virtual-patch this particular issue.

Composr — RCE

Megadodo published an unserialize-based RCE in composr, mitigated by the HMAC-for-unserialize option.

Mautic — RCE

Megadodo published an unserialize-based RCE in mautic, mitigated by the HMAC-for-deserialize feature.

Squirrelmail - likely RCE

Hanno Böck published a patch to fix an unserialize-based likely-RCE in squirrelmail, mitigated by the HMAC-for-deserialize feature.

Drupal 8 — RCE

Lorenzo Grespan and Sam Thomas from pentest.co.uk published a fun remote code execution against Drupal 8, chaining:

  1. A CSRF to create an arbitrary folder, mitigated by the samesite option
  2. A quirk of file_get_contents, unmitigated
  3. Some bruteforcing on Linux, none is required on Windows, unmitigated
  4. Deserialisation-based RCE, mitigated by the HMAC-for-unserialize option

BoltCMS — CSRF to XSS to RCE

Sivanesh Ashok reported in April 2020 a CSRF-to-XSS-to-RCE in BoltCMS.

Trixbox CE — RCE

Anastasios Stasinopoulos disclosed an command injection in (the unmaintained) trixbox CE, mitigated by the default ruleset.

FusionPBX — XSS to RCE

Dustin Cobb from Gotham Digital Science published an XSS to RCE in FusionPBX. The XSS isn't mitigated by snuffleupagus, and the command injection used for the RCE is made harder to exploit, but isn't full mitigated, since the entire content of the parameter controlled by the attacker is passed to a system-like function, without any prepending or appending.

Conclusion

Like last year, the only vulnerabilities that weren't killed are either:

  • Logic issues, that can't be generically mitigated.
  • Client-side issues, like XSS, that are explicitly out of scope.
  • Application-specific issues that can't be dealt with in a generic way.
  • SQLI, since this part is still private for now.

It seems that Snuffleupagus is still doing a decent job!

Feel free to send me an email if I've missed your favourite web vulnerability.