CVE-2020–29607: Remote Code Execution Via File Upload Restriction Bypass In Pluck CMS ≤ 4.7.13 [Authenticated]

Web Application Description

Pluck CMS
Pluck is a small and simple content management system (CMS), written in PHP. With Pluck, you can easily manage your own website. Pluck focuses on simplicity and ease of use. This makes Pluck an excellent choice for every small website. Licensed under the General Public License (GPL), Pluck is completely open source. This allows you to do with the software whatever you want, as long as the software stays open source.

Vulnerability

File Upload Restriction Bypass in Pluck CMS ≤ 4.7.13 allows an admin privileged user to gain access in the host through the “manage files” functionality, which result in remote code execution.

Vulnerable Endpoint

/admin.php?action=files

File Upload Vulnerable Functionality

Vulnerable Code

Blacklisting of PHP extensions in `files.php`

.htaccess restriction for PHP execution in `files` upload directory

Restrictions

Blacklisting PHP Extensions: In above-shown code of data/inc/files.php, At line 44, the application is assigning a list of blacklist PHP file extensions in blockedExtentions variable which is then used to restrict a user to upload files with these extensions. If the user tries to upload the file with these extensions then the application appends .txt to the file name before uploading to the files directory of the system.

loopspell.php renamed to loopspell.php.txt

Restricting PHP Execution Through .htaccess: In above-shown content of files/.htaccess, The developer sets the SetHandler to None for the .php & .phtml PHP file extensions, so that a user can not execute .php & .phtml PHP files from the files upload directory. Also, the developer disabled CGI execution from the files upload directory.

Attack Vector

1. Bypassing .htaccess Restriction: In order to bypass .htaccess restriction, An adversary can use any PHP extensions other than .php & .phtml such as .php5, .php7, .pht, etc.
2. Bypassing Blacklisting of PHP Extensions: In order to bypass blacklisting of PHP extensions, An adversary can use any extension other than extensions mentioned in code. So for the Proof Of Concept, we used .phar PHP extension.

Note: For the proof of concept, we used .phar PHP extension through which we can bypass both the above restrictions.

Proof of Concept

Uploading .phar PHP file

File Upload Request/Response

Executing PHP file

Implemented Mitigations In Pluck CMS 4.7.15

1. Blacklist of .phar PHP extension.
2. Adding php_flag engine off in .htaccess file to disable PHP execution from files upload directory.

Disclosure Timeline

Reported to the Vendor: 1st Dec 2020
CVE Assigned: 9th Dec 2020
CVE Published: 16th Dec 2020

CVSS Score As Per NIST NVD

CVSS Version 3.x Base Score: 7.2 HIGH
CVSS Version 2.0 Base Score: 6.5 MEDIUM

References

1. https://httpd.apache.org/docs/current/howto/htaccess.html
2. https://github.com/pluck-cms/pluck
3. https://github.com/pluck-cms/pluck/issues/96
4. https://nvd.nist.gov/vuln/detail/CVE-2020-29607
5. https://www.php.net/manual/en/apache.configuration.php

If you enjoyed reading my article do clap and follow on Medium & Twitter:

Twitter: https://twitter.com/loopspell
LinkedIn: https://www.linkedin.com/in/ankitkushwah/