Cockpit CMS 0.13.0 - Remote Code Execution
Advisory ID: RO-16-004
Severity: Critical
Vendor: Cockpit
Product: Cockpit CMS
Version: 0.13.0


Overview #

Multiple Remote Code Execution (RCE) vulnerabilities exist in Cockpit CMS version 0.13.0. The vulnerabilities allow remote attackers to execute arbitrary PHP code on the server.


Vulnerability Details #

Affected Versions: 0.13.0 and earlier

Location: Multiple endpoints including /accounts/save, /auth/check, /api/galleries/findOne, /api/collections/findOne

Affected Parameters: account._id, auth[user], filter._id

Root Cause: The vulnerability exists due to improper handling of user input in JSON parameters, allowing PHP code evaluation.


Exploitation Requirements #

    No authentication required for some vectors
    Direct access to vulnerable endpoints

Impact #

Remote attackers can exploit these vulnerabilities to:

    Execute arbitrary PHP code on the server
    Gain complete control of the CMS
    Access sensitive files and databases
    Pivot to internal network resources

Proof of Concept #

POST /cockpit-0.13.0/accounts/save HTTP/1.1
Host: target.com
Content-Type: application/json

{"account":{"_id":"'+print(int)0xFFF9999-22+'"}}

POST /cockpit-0.13.0/auth/check HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

auth[user]='+print(int)0xFFF9999-22+'



Solution #

Upgrade to a patched version of Cockpit CMS that includes proper input sanitization.


References #

    Invicti Advisory NS-16-016

Timeline:

    [2016-06-30] - Reported
    [2016-09-19] - Advisory released

Credits: Omar Kurt