CVE-2017-18048 - Monstra CMS 3.0.4 - Remote Code Execution

Security Advisory: CVE-2017-18048- Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution

OVERVIEW

Severity Rating: High

Confirmed Affected Versions: 3.0.4

Vendor: MonstraCMS

Vendor URL: http://monstra.org/

Vector: Remote

Status: Public

CVE: CVE-2017-18048

ExploitDB URL: https://www.exploit-db.com/exploits/43348/

SSD Advisory: https://ssd-disclosure.com/ssd-advisory-monstra-cms-rce/

PRODUCT DESCRIPTION

Monstra is a modern and lightweight Content Management System.
SUMMARY AND IMPACT
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server.

In MonstraCMS an Editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal

During this research, I found that the Monstra CMS is allowing an user with editor privileges to upload files forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php however I was able to bypass this mitigation by simply uploading a php file with “PHP” (all in uppercase) extension which helped me to upload a shell file and execute shell commands on the server.
Thanks to the awesome article by @netbiosX
VULNERABLE CODE:
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php#L19:

PROOF OF CONCEPT
https://www.youtube.com/watch?v=-ziZ6DELbzw

RECOMMENDED WORKAROUNDS

I was not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here:

https://github.com/monstra-cms/monstra/issues/426