Remote Code Execution and Local File Disclosure in Zeta Producer Desktop CMS

Project Description

Zeta Producer Desktop CMS is a Windows client for building a website. Unfortunately, the websites which were built from this software are vulnerable to unauthenticated remote code execution due to a default component that permits arbitrary upload of PHP files. Furthermore, local files from the operating system can be disclosed.


Vendor description

“With Zeta Producer, the website builder and online shop system for Windows, you can create and manage your website locally, on your computer. Get without expertise in 3 steps to your own homepage: select design, paste content, publish website. Finished.”

Source: https://www.zeta-producer.com/de/index.html

Business recommendation

The vendor provides a patched version which should be installed immediately.

Users of the product also need to verify that the affected widgets are updated in the corresponding website project! It could be necessary to rebuild the whole project or copy the new widgets to the website projects. For further information consult the vendor.

Furthermore, an in-depth security analysis is highly advised, as the software may be affected from further security issues.

Vulnerability overview/description

1) Remote Code Execution (CVE-2018-13981)

The email contact functionality of the widget “formmailer” can upload files to the server but if the user uploads a PHP script with a .php extension then the server will rename it to .phps to prevent PHP code execution.

However, the attacker can upload .php5 or .phtml to the server without any restriction. These alternative file extensions can be executed as PHP code. Furthermore, the server will create a folder to store the files, with a random name using PHP’s “uniqid” function.

Unfortunately, if the server permits directory listing, the attacker can easily browse to the uploaded PHP script. If no directory listing is enabled the attacker can still bruteforce the random name to gain remote code execution via the PHP script as well. Testing on a local server it took about 20 seconds to brute force the random name. This attack will be slower over the Internet but it is still feasible.

Also, if the user runs the Zeta Producer Desktop CMS GUI client locally, they are also vulnerable because the web server will be running on TCP port 9153.

The root cause is in the widget “formmailer” which is enabled by default. The following files are affected:

  • /assets/php/formmailer/SendEmail.php
  • /assets/php/formmailer/functions.php

2) Local File Disclosure (CVE-2018-13980)

If the user enables the widget “filebrowser” on Zeta Producer Desktop CMS an unauthenticated attacker can read local files by exploiting path traversal issues.

The following files are affected:

  • /assets/php/filebrowser/filebrowser.main.php

Proof of Concept

1) Remote Code Execution (CVE-2018-13981)

The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]

When the script is executed, a PHP script (shell) will be uploaded automatically.

# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

2) Local File Disclosure (CVE-2018-13980)

The parameter “file” in the “filebrowser.main.php” script can be exploited to read arbitrary files from the OS with the privileges of the web server user. Any unauthenticated user can exploit this issue!

http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list

Vulnerable / tested versions

The following versions have been tested which were the latest version available at the time of the test:

  • Zeta Producer Desktop CMS 14.1.0
  • Zeta Producer Desktop CMS 14.2.0

Source:
https://www.zeta-producer.com/de/download.html
https://github.com/ZetaSoftware/zeta-producer-content/

Vendor contact timeline

2017-11-29: Contacting vendor through info@zeta-producer.com and various other email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply.
2018-01-09: Contacting vendor again.
2018-01-10: Vendor replies, requests transmission of security advisor.
2018-01-10: Sending unencrypted security advisory to vendor.
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed the reported vulnerabilities.
2018-07-12: Public advisory release.

Solution

Upgrade to version 14.2.1 or newer. See the vendor’s download page: https://www.zeta-producer.com/de/download.html

Users of the product also need to verify that the affected widgets are updated in the corresponding website project! It could be necessary to rebuild the whole project or copy the new widgets to the website projects. For further information consult the vendor.

Workaround

Remove “formmailer” and “filebrowser” widgets.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF P. Morimoto / @2018

Project Details

  • TitleRemote Code Execution & Local File Disclosure
  • ProductZeta Producer Desktop CMS
  • Vulnerable version<=14.2.0
  • Fixed version>=14.2.1
  • CVE numberCVE-2018-13981, CVE-2018-13980
  • Impactcritical
  • Homepagehttps://www.zeta-producer.com
  • Found2017-11-25
  • ByP. Morimoto (Office Bangkok) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back