exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Anchor CMS PHP Object Injection

Anchor CMS PHP Object Injection
Posted Aug 27, 2015
Authored by Scott Arciszewski

Anchor CMS suffers from a PHP object injection vulnerability.

tags | advisory, php
advisories | CVE-2015-5687
SHA-256 | 01360b0ef87b8be3a5a7368eac27d098cc885b14e087ad44e9eb0a5154ed8a8b

Anchor CMS PHP Object Injection

Change Mirror Download
In the near future on an IRC server near you:

> <user1> Hey, what's the best command line tool for verifying that my copy of AnchorCMS 0.9.x is secure?
> <user2> rm

CVE-2015-5687 (PHP Object Injection in AnchorCMS)
=================================================

Out of the box, AnchorCMS defaults to store all session state in a
cookie (contrast this with only storing a unique identifier in a
cookie which references a server-side storage mechanism, such as a
temporary file or a database row).

Aside: If you have paid attention to my past work with Laravel,
CodeIgniter, and Kohana, you probably already know how this story
ends. This finding is so much worse than anything I've found in any of
those three.

Generally, when a framework or CMS decides to go down the "cookie
session driver" route, they do so knowing that end users have complete
control over the contents of the cookie. Fortunately, there's a
cryptographic tool that allows them to do this almost safely: a
Message Authentication Code.

The first mistake the AnchorCMS cookie session driver made was,
instead of using a MAC (e.g. hash_hmac('sha256', $cookie_data,
$some_key)), they just used an MD5 hash.

https://github.com/paragonie/anchor-cms/blob/1207ab1b656bc5687bc2d2d6f57e6c4d0ca7d15f/system/session/drivers/cookie.php#L19-L35

The second mistake the AnchorCMS cookie session driver made was the
same one almost every other cookie session driver ever written in PHP
makes: It uses unserialize() on user-provided data. Normally this
isn't exploitable, because a MAC cannot be forged without the
server-side authentication key or a timing side-channel on the MAC
verification. But as we just said, they just prepend an MD5 hash and
use that as an authentication mechanism.

Both mistakes, combined, make this a remotely exploitable PHP object
injection vulnerability. Combine that with some of the recent CVEs for
memory corruption in unserialize() and the fact that AnchorCMS
officially supports EOL'd versions of PHP which do not have these
memory corruptions fixed, we potentially have a wormable remote
exploit on any server running AnchorCMS on the Internet. Wonderful.

Weak PRNG used in security contexts
===================================

During the course of writing a patch to migrate the cookie session
driver to HMAC-SHA-256 with constant-time MAC comparison, we
discovered that they did not at any point expose or use a CSPRNG (not
even in the salt generation of their bcrypt implementation).

Instead, they relied on str_shuffle().

https://github.com/paragonie/anchor-cms/blob/07933dbc7939326bb4973827a0934d1a610851d1/system/helpers.php#L55-L59
https://github.com/paragonie/anchor-cms/blob/66581e5969029e7b6dfddfe3326bb9f15f27b859/anchor/libraries/hash.php#L15

We have not explored the full potential of the exploitability of this
issue (why brute force a 32-bit keyspace when you already have the
potential to get a remote shell?), but needless to say we did not use
this PRNG for generating a session authentication key in our patch.

--------------------------------

Both of the issues reported above would be patched if this pull
request was reviewed by their team and merged.
https://github.com/anchorcms/anchor-cms/pull/904

It has been 30 days since I wrote the patch and sent the above pull
request. The timeline (sans the Github notifications that the
AnchorCMS team would have received every time I or someone else
commented on this pull request) looks like this.

* 2015-07-28
Initial discovery, contacted team on Gitter, instructed to send a PR,
and we did so.

* 2015-08-11
After radio silence from the AnchorCMS devs, I reached out to Craig
Childs who responded the same day. "Thanks for pointing this out to
me, I understand it’s serious and I’ll look into it as soon as I can."

* 2015-08-27
We've reached the 30 day mark without the security issues being resolved.
Furthermore, Paragon Initiative Enterprises has not received any request
for more time for their team to review the patch. (Note: For most issues,
we won't delay past 30 days without remediation.)

Looking at the above issues, it may surprise you to hear that
AnchorCMS is not an obscure relic of a forgotten age; it has almost
2500 stars and over 400 forks on Github.

The best advice I can offer anyone is to uninstall AnchorCMS from
their servers. These are just the issues that I could find; there is
undoubtedly many more that are just as bad.

In publishing this, we hope that the AnchorCMS development team is
able to wake up and reconnect with the community, and more importantly
that the community is willing to help them fix the myriad of security
vulnerabilities that probably lurk beneath the surface.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close