CuteNews 2.1.2 Remote Code Execution Vulnerability

Hello guys back again with another article this time am talking about CuteNews a content management system that i was recently doing a pentest on and found that it had a remote code execution vulnerability. The vulnerability existed on the uploading an avatar field which didn’t perform any validation on the uploaded file. But to be able to exploit the vulnerability one had to have correct credentials for at least one account or the registration functionality had to be enabled on that specific CMS

The thing that also made it easier to exploit the vulnerability was that the exact version of the CMS was exposed on the login page

Looking at screenshot above you can see that the specific version was CuteNews 2.1.2

The first thing i did was google and try to see if there were any public exploits available

And i found a metasploit exploit in exploitdb

Nice. Looking at the description that the exploit offers we see there’s no realistic control of the $imgsize function in the PHP upload script meaning no matter how big the uploaded file is it doesn’t check on the size of the file this allows an attacker to use large files like a PHP reverse shell file

Also the CMS uses only magic bytes to validate the type of file being uploaded. “magic bytes” is a term referring to a block of arcane byte values used to designate a filetype in order for applications to be able to detect whether or not the file they plan to parse and consume is of the proper format. The CMS doesn’t look at the extension of the file being uploaded meaning we can upload a PHP File on the server too and the PHP file can have a malicious code the executes system command that can be used to get a shell on the server

Let’s look at a demonstration below

Let’s create a simple PHP script that executes a system command

Below is one line of code that can execute a system command from a PHP file

Let’s save the script and run a file command against it

As you can see file command has been able to identify the file correctly as a PHP Script File

This is because of magic bytes that the file has. Let’s do a bit more obfuscation on the file and trick the file to think that this is a GIF image

I just added

Which are the magic bytes of a GIF image. Let’s save the file and again run a file command against it

Looking at the screenshot below we have successfully tricked file to think that this is a GIF image

This is the same technique we are going to use to trick the CMS to think that our PHP script is a harmless file

Cool our obfuscation was successful

Let’s go back and look at the CMS. You can see that in my specific instance the registration functionality was enabled

Let’s register a user on the box

After clicking the registration button we get logged in immediately

Looking at the personal options we can view out personal details and we see that there is a functionality that allows us to upload an avatar

Lets try uploading a PHP File without adding the GIF magic bytes I’ll intercept the request with burpsuite

Going back to our webpage we see that the upload failed

Let’s again try uploading a PHP Script but this time let us add the magic bytes of a GIF image

Going back to the CMS we see that the PHP File just uploaded fine

The file has been uploaded in the uploads directory sweet. Let’s try executing the script

We just we the GIF magic byte displayed on the screen. Let’s add the parameter cmd the same one we used on the script and then try executing a system command “whoami”

Looking at the screenshot below we have code execution

We have successful compromised the server Sweet so i went a step forward and decided to create a python script that does all the work and submitted to exploitdb and it was accepted

The script can also be found in my GitHub page I’ll a link below if anyone whats to access it

But Let’s see how the script works

The script just prompts you to enter the URL of the CMS

After clicking enter we get a shell

Executing command we see that it works perfectly

I wish i could explain the process on how i created the python script but it’s over 100 lines of code which is almost impossible but you can look at the script and try understanding my taught process on how i created the script . Also I’ve been meaning to add a functionality which allows anyone to login if they have a valid credential but my OS has been crazy for about a week with connection failures but once things get back to normal that’s what I’ll add

Thanks so much for reading the article till next time it’s goodbye from me. If you liked the article you can clap for me below and don’t forget to follow me so that you don’t miss any upcoming articles

My GitHub Link

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)