Title: Snuffleupagus versus recent high-profile vulnerabilities, again! Date: 2020-07-04 13:45 Last July, I [published a blog post]({filename}/php/snuffleupagus_recent_rce.md) summarising how [Snuffleupagus](https://github.com/jvoisin/snuffleupagus) was doing against high-profile web vulnerabilities, and the conclusion was: > It seems that Snuffleupagus is doing a decent job! Time to see if it's still the case one year later. ## ImpressCMS 1.3.11 — SQL injection Sebastian Fabry from [RIPS](https://ripstech.com) [found](https://blog.ripstech.com/2020/sql-injection-impresscms/) a SQL injection in [ImpressCMS](https://www.impresscms.org/). But since the SQL protection feature isn't publicly available, Snuffleupagus doesn't do anything against them. A possible way to harden the application without disrupting anything would be to write a rule to check if ``$_SERVER['PHP_SELF']` doesn't contain quotes. ## WordPress <= 5.2.3: Hardening Bypass Simon Scannell from RIPS [found](https://blog.ripstech.com/2020/wordpress-hardening-bypass/) a bypass of some hardneing-fu in Wordpress boiling down to an LFI, so it's mitigated by the [file upload check](https://snuffleupagus.readthedocs.io/features.html#remote-code-execution-via-file-upload), and depending of the configuration, it might also be prevented by [W^X](https://snuffleupagus.readthedocs.io/features.html#preventing-execution-of-writable-php-files). ## BigTree 4.4.6 — SQLI Robin Peraglie from RIPS found a [couple of issues]( https://blog.ripstech.com/2019/sql-injection-big-tree/) in [BigTree CMS](https://www.bigtreecms.com/): chaining a CSRF, to exploit an SQL injection, and exfiltrating the data via an XSS. There is also a phar-deserialization RCE. The CSRF is prevented by [samesite attribute](https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery), while the SQLI and XSS aren't mitigated. The phar-deserialization is killed by the [stream wrapper whitelist](https://snuffleupagus.readthedocs.io/features.html#whitelist-of-stream-wrappers). ## SuiteCRM — CSRF to SQLI to RCE — CVE-2019-12598 and CVE-2019-12601 Robin Peraglie from RIPS [disclosed]( https://blog.ripstech.com/2019/breaking-into-your-internal-network/ ) a couple of critical vulnerabilities in [SuiteCRM]( https://suitecrm.com/ ). The CSRF is prevented by [samesite attribute](https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery), while the SQLI isn't. The RCE is based on an `unserialize`, mitigated by the [HMAC-for-unserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) option. ## TYPO3 — XSS to RCE Robin Peraglie from RIPS [disclosed]( https://blog.ripstech.com/2019/typo3-overriding-the-database/ ) an XSS to RCE in [TYPO3](https://typo3.com/). The XSS isn't mitigated by snuffleupagus, but since the RCE is based on an `unserialize`, it's mitigated by the [HMAC-for-unserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) option. ## Pimcore 6.2.0 — RCE, SQLI and CSRF Robin Peraglie from RIPS found a [couple of issues]( https://blog.ripstech.com/2019/driveby-rce-exploit-pimcore/ ) in Pimcore: - A command injection, complicated and maybe mitigated against casual attackers by the [default ruleset](https://snuffleupagus.readthedocs.io/features.html#system-injections) - A couple of SQL injections, not mitigated by the public version of Snuffleupagus - Absence of anti-CSRF mecanism, mitigated by the `SameSite` cookie attribute ## WooCommerce 3.6.4 - CSRF to XSS Dennis Brinkrolf of RIPS [found]( https://blog.ripstech.com/2019/woocommerce-csrf-to-stored-xss/ ) a CSRF in Woocommerce, leading to an XSS, meaning RCE since this is wordpress. The CSRF is mitigated by `Samesite`, killing the XSS as well since it's a self one. ## Prestashop 1.7.6.4 — CSRF to XSS to RCE [Sivanesh Ashok](https://twitter.com/sivaneshashok) reported in April 2020 a [CSRF-to-XSS-to-RCE](https://stazot.com/prestashop-csrf-to-rce/) in [Prestashop](https://www.prestashop.com/). The CSRF is prevented by [samesite attribute](https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery). The XSS isn't mitigated by Snuffleupagus, but should be blocked by any reasonable [CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) policy: nobody should allow executin javascript from within svg. And the RCE is like in Wordpress, a feature: admins can upload themes written in PHP. Interestingly, this is neither caught by the [file-upload-checking](https://snuffleupagus.readthedocs.io/features.html#remote-code-execution-via-file-upload) because the themes are zip files, nor by [W^X](https://snuffleupagus.readthedocs.io/features.html#preventing-execution-of-writable-php-files) because an attacker can always mark the php files in the zip file as read-only. ## Unraid 6.8.0 — RCE — CVE-2020-5847 and CVE-2020-5849 [Sysdream](https://sysdream.com/) [found](https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/) an authentication bypass as well as a remote code execution in [Unraid](https://www.unraid.net/) around January 2020. The auth bypass is based on a logic flaw, and can't be mitigated in a generic way. The RCE however, is due to the usage of [`extract($_GET);`](https://www.php.net/manual/en/function.extract.php), which is [now](https://github.com/jvoisin/snuffleupagus/commit/bbdf470f4e2d87d90c9ea11f4ce572e4416ffeab) mitigated by the default rules set, albeit to be fair, this function should __never__ be used, especially with such stupid default values, but well, it's php, so, yeah, … Amusingly, php's [documentation]( https://www.php.net/manual/en/function.extract.php ) is lying about the name of the function's parameters, which should be `int extract(array var_array [, int extract_type [, string prefix]])` instead. As a side note, why the fuck is Unraid running php scripts as root‽ ## Netsweeper's webadmin 6.4.3 — RCE An "independent Security Researcher" [found]( https://ssd-disclosure.com/ssd-advisory-netsweeper-preauth-rce/ ) an unauthenticated remote code execution in Netsweeper's webadmin vulnerability, based on a shell injection. Which should be mitigated by the default ruleset. ## Roundcube 1.4.3 — XSS Roundcube [fixed]( https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0 ) an XSS, present thanks to a logic bug. There is nothing Snuffleupagus can do against those, but it's trivial to write a rule to virtual-patch this particular issue. ## Composr — RCE Megadodo [published]( https://github.com/MegadodoPublications/exploits/blob/master/composr.md ) an unserialize-based RCE in [composr]( https://compo.sr/ ), mitigated by the [HMAC-for-unserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) option. ## Mautic — RCE Megadodo [published]( https://github.com/MegadodoPublications/exploits/blob/master/mautic.md ) an unserialize-based RCE in [mautic]( https://www.mautic.org/ ), mitigated by the [HMAC-for-deserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) feature. ## Squirrelmail - likely RCE Hanno Böck published a [patch]( https://github.com/hannob/squirrelpatches/blob/main/patches/squirrelmail-security-mailto-avoid-unserialize.diff ) to fix an unserialize-based likely-RCE in [squirrelmail]( https://squirrelmail.org/ ), mitigated by the [HMAC-for-deserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) feature. # Drupal 8 — RCE Lorenzo Grespan and Sam Thomas from [pentest.co.uk](https://pentest.co.uk) [published]( https://pentest.co.uk/labs/research/drupal-8-remote-code-execution-by-estimating-installation-time-of-site/ ) a fun remote code execution against Drupal 8, chaining: 1. A CSRF to create an arbitrary folder, mitigated by the samesite option 2. A quirk of `file_get_contents`, unmitigated 3. Some bruteforcing on Linux, none is required on Windows, unmitigated 4. Deserialisation-based RCE, mitigated by the [HMAC-for-unserialize]( https://snuffleupagus.readthedocs.io/features.html#unserialize-related-magic ) option # BoltCMS — CSRF to XSS to RCE [Sivanesh Ashok](https://twitter.com/sivaneshashok) reported in April 2020 a [CSRF-to-XSS-to-RCE](https://stazot.com/advisories/Bolt%20CMS%203.7.0%20Multiple%20Vulnerabilities) in [BoltCMS](https://bolt.cm/). - The CSRF is prevented by [samesite attribute](https://snuffleupagus.readthedocs.io/features.html#protection-against-cross-site-request-forgery). - The reflected and stored XSS aren't mitigated by Snuffleupagus. - The LFI is mitigated by [file-upload-checking](https://snuffleupagus.readthedocs.io/features.html#remote-code-execution-via-file-upload) as well as by [W^X](https://snuffleupagus.readthedocs.io/features.html#preventing-execution-of-writable-php-files). # Trixbox CE — RCE [Anastasios Stasinopoulos]( https://stasinopoulos.github.io/ ) [disclosed]( https://github.com/rapid7/metasploit-framework/pull/13353 ) an command injection in (the unmaintained) [trixbox CE]( https://en.wikipedia.org/wiki/Trixbox ), mitigated by the [default ruleset](https://snuffleupagus.readthedocs.io/features.html#system-injections). # FusionPBX — XSS to RCE [Dustin Cobb](https://www.linkedin.com/in/dustin-cobb-b33ba6b9) from [Gotham Digital Science](https://www.gdssecurity.com/) [published]( https://blog.gdssecurity.com/labs/2019/6/7/rce-using-caller-id-multiple-vulnerabilities-in-fusionpbx.html ) an XSS to RCE in [FusionPBX](https://www.fusionpbx.com/ ). The XSS isn't mitigated by snuffleupagus, and the command injection used for the RCE is made harder to exploit, but isn't full mitigated, since the entire content of the parameter controlled by the attacker is passed to a `system`-like function, without any prepending or appending. # Conclusion Like last year, the only vulnerabilities that weren't killed are either: - Logic issues, that can't be generically mitigated. - Client-side issues, like XSS, that are explicitly out of scope. - Application-specific issues that can't be dealt with in a generic way. - SQLI, since this part is still private for now. It seems that Snuffleupagus is still doing a decent job! Feel free to send me an [email](https://dustri.org/) if I've missed your favourite web vulnerability.