PyroCMS Object Injection Vulnerability – Another step, damn the steps, damn thee!

Hello

PyroCMS is one of the popular open source cms application. It is based on Codeigniter! You can download it from https://www.pyrocms.com/ or github account. I decided to analyze installation module of PyroCMS. Because we’ve learned that as an attackeri, we can do Object injection attacks if private key is not private! 

I’ve wrote about Codeigniter Object Injection Vulnerability before. If you didn’t read it before, I would advise you to read it. Because this write-up will  not cover again session and array serialization mechanism of Codeigniter and this write-up highly related with that mechanism.

Installation Modules PyroCMS

Cloning 2.3/master branch of PyroCMS

Now it’s time to read source codes of installation module. Installer controller can be found following path installer/controllers/installer.php. When we reached step 4 following method will be called.

Please look at 64th line. PyroCMS calls install method of install_lib class.  Let’s see source code of install method.

PyroCMS doesn’t generate random string in order to set it to encryption_key!!! It just writes database credentials into to the database.php . Then it calls write_config_file method.

There is nothing about encryption_key. It was the moment when I’ve started thinking about “Encryption key defined as static ???” . Then I checked out cms/config/config.php and see that!

That means everyone uses same encryption key right now! This is really …

EVIL THINGS

I wrote a PHP script in order to decrypt session string and append new fields. You can change  serialized session plain-text string to whatever you want. Following codes takes current cookie value via argv  and detect remote server encryption method then generates new string with same key! Also I’ve made a few modifications on Encryption class of Codeigniter.

Output ot sploit.php is look like following one. I’ve just added some extra field into my session array for demonstration.

IN CONCLUSION

Private keys are designed to be private!

TIMELINE

20 Apr 2014 – First contact

24 Apr 2014 – Response from lead developer and patched via following commit.
https://github.com/pyrocms/pyrocms/commit/af42c70a04ee9b4105a3d462625569e0ad9796cf

  • It’s probably worth noting at this point that the 2.3 branch was never released, and will never be released.

    3.0 has become the new active branch and is pretty much a rewrite, with awesome new functionality.

    https://www.pyrocms.com/blog/2014/11/pyrocms-30-progress-and-launch

    So, no reason for panic about these CodeIgniter-based security vulnerabilities.

    • mehmet ince

      Thank you for sharing this news with us. When I’ve analyzed PyroCMS (APRIL 21, 2014) this vulnerability was exist and alive. I’m glad to hear 3.0 branch :)

  • Hey there, nice catch! The 2.3 branch however has been abandoned since August and 3.0 is an entire rewrite! If you did not, I implore you to contact us with findings like this in the future. You are welcome to email me personally or 3.0 will launch with a security response section on the website.

    Cheers,

    Ryan

  • Jhon

    what do you change on ci_encryption.php cause i cant reproduce this on my test local files.

    Apreciate any help.