CVE-2017-18048 - Monstra CMS 3.0.4 - Remote Code Execution
Security Advisory: CVE-2017-18048- Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution
OVERVIEW
Severity Rating: High
Confirmed Affected Versions: 3.0.4
Vendor: MonstraCMS
Vendor URL: http://monstra.org/
Vector: Remote
Status: Public
CVE: CVE-2017-18048
ExploitDB URL: https://www.exploit-db.com/exploits/43348/
SSD Advisory: https://ssd-disclosure.com/ssd-advisory-monstra-cms-rce/
PRODUCT DESCRIPTION
Monstra is a modern and lightweight Content Management System.
SUMMARY AND IMPACT
MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server.
In MonstraCMS an Editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal
During this research, I found that the Monstra CMS is allowing an user with editor privileges to upload files forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php however I was able to bypass this mitigation by simply uploading a php file with “PHP” (all in uppercase) extension which helped me to upload a shell file and execute shell commands on the server.
Thanks to the awesome article by @netbiosX
VULNERABLE CODE:
https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php#L19:
PROOF OF CONCEPT
https://www.youtube.com/watch?v=-ziZ6DELbzw
RECOMMENDED WORKAROUNDS
I was not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: