Weak Randomness in Uploaded File Name Leading to Code Execution

We discussed this vulnerability as part of our weekly podcast on 23 November 2021

Weak randomness leading to a predictable filename enabling code execution…

In an already risky feature, a limited user can download remote files, providing the URL to Concrete CMS, and it will curl the file with a 60 second timeout. While the CMS does try to ensure the user is not uploading ant .php files which might result in code execution these checks happen after the file has already been downloaded.

If the check fails, the file (which is in a VolatileDirectory) is deleted with the directory when the object is destroyed (effectively the end of the request).

The VolatileDirectory’s name is made somewhat random through uniqid() which is influenced by the current time and microseconds. An attacker must guess the directory name before the request ends, the seconds would be predictable based on the server’s Date header, but the microseconds would leave another million possibilities. So 1 million maximum requests inside the 60 second request life.

The author was able to do this using Turbo Intruder heading 16k-17k requests per second, so 500-700k in the 30second window their attack script was working with.