Zenario CMS 9.2 - Insecure file upload (RCE)

Summary

NameZenario CMS 9.2 - Insecure file upload (RCE)
Code nameSimone
ProductZenario CMS
Affected versions9.2
Fixed versions9.2.55826
StatePublic
Release date2022-02-18

Vulnerability

KindInsecure file upload (RCE)
Rule027. Insecure file upload
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score9.1
Exploit availableNo
CVE ID(s)CVE-2022-23043

Description

Zenario CMS 9.2 allows an authenticated admin user to bypass the file upload restriction by creating a new File/MIME Types using the .phar extension. Then an attacker can upload a malicious file, intercept the request and change the extension to .phar in order to run commands on the server.

Proof of Concept

Steps to reproduce

  1. Once login as admin click on 'Go to Organizer'> 'Configuration'.

  2. Select 'File/MIME Types' in the 'Configuration' menu.

  3. Click on 'Create'.

  4. Create a new custom file type using 'phar' as extension and 'text/plain' as MIME Type and then click on 'Save'.

    The server validates some malicious extensions but still there are some valid executable extensions. For example 'phar' and 'shtml'.

  5. Create a '.phar' file with the following content.

    <?php echo system($_GET['cmd']); ?>
    
  6. On the admin menu, click on 'Documents'

  7. Click on 'Upload documents'

  8. Click on 'Upload...' and browse the created file.

  9. Select 'Public' and click on 'Save'.

  10. Select the file and click on 'Actions' > 'View public link' in order to get the file location.

  11. Go to the url in the browser.

System Information

  • Version: Zenario CMS 9.2.
  • Operating System: Linux.
  • Web Server: Apache
  • PHP Version: 7.4
  • Database and version: Mysql

Exploit

There is no exploit for the vulnerability but can be manually exploited.

Mitigation

An updated version of Zenario CMS is available at the vendor page.

Credits

The vulnerability was discovered by Oscar Uribe from the Offensive Team of Fluid Attacks.

References

Vendor page https://zenar.io/

Patched version https://github.com/TribalSystems/Zenario/releases/tag/9.2.55826

Timeline

Time-lapse-logo

2022-01-13

Vulnerability discovered.

Time-lapse-logo

2022-01-13

Vendor contacted.

Time-lapse-logo

2022-01-14

Vendor replied acknowledging the report.

Time-lapse-logo

2022-02-08

Vulnerability patched.

Time-lapse-logo

2022-02-18

Public Disclosure.