Code Audit – CVE-2018-10574

As the second CVE ID I have owned, CVE-2018-10574 identifies an arbitrary code executation in BigTree CMS developed by Fastspot. Here are some places to get more details about this CVE.

Here I would love to share how I found this vulnerability and exploit it to get the webshell to compromise the whole system. The score under the CVSS v3.0 for this vulnerability is 9.8, meaning the vulnerability is regarded as critical one. 

I found that vulnerability by code audit. 

At first beginning, I was trying to find some SQL injection vulnerabilities. I looked into how parameters are prepared, and check if all parameters from clients are handled. I searched some keywords like $_GET[]$_POST[], and  $_REQUEST, hoping to find incompleted handling. Disappointedly, no result did I get. Then, I started to go through other components.

After auditing several parts of the project, I find a place used for uploading files. The code was written like this.

In /core/admin/ajax/file-browser/upload.php, I got this.

I looked into the definition of the class BigTreeStorage, and got this.

As we can see, the function preg_match is used to deny uploading files with the name inside which some keywords are. It is a filter for file extension. Since files with the extension of php, phtml, pht are forbidden to store in the system, it seems such measure of using white list works good. However, the programmers forget some things.

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

Since the Apache server support .htaccess, and there is no restriction for this type of files, you can upload a .htaccess file to modify the configuration so that the PHP intepreter will execute code as PHP codes wherever they are. This is a commonly-seen trick in CTF games.

Now, what you need is to upload a customized .htaccess file and a webshell. Of course you can combine those two files into one.

Two Files

File 1: haozhe

File 2: .htaccess

Then, the file haozhe. will be regarded as PHP code file by PHP interpreter. In this way, you can execute arbitrary PHP code. Getshell!

One File

What you need to do is just to combine two files into one. Of course the file should be names as .htaccess. Then, what you need to do is to put PHP code inside this file. Then, getshell!

Getshell

getshell

Leave a Reply

Your email address will not be published. Required fields are marked *