CVE-2020-10560 – OSSN Arbitrary File Read

Open source platforms, although extremely useful and popular, can sometimes be prone to vulnerabilities. By allowing users to access the code that creates the platforms, these free software resources open themselves up for easier vulnerability testing by cyber professionals and hobbyists, as well as malicious actors. Immersive Labs’ Director of Cyber Threat Research, Kev Breen,…

Source: https://www.businessinsider.com/coronavirus-email-scam-covid-19-phishing-false-information-who-cdc-2020-2?r=US&IR=T#check-the-senders-email-domain-and-see-if-it-matches-the-website-of-the-organization-they-say-they-work-for-then-check-the-urls-included-in-the-email-1

Open source platforms, although extremely useful and popular, can sometimes be prone to vulnerabilities. By allowing users to access the code that creates the platforms, these free software resources open themselves up for easier vulnerability testing by cyber professionals and hobbyists, as well as malicious actors.

Immersive Labs’ Director of Cyber Threat Research, Kev Breen, recently uncovered a weakness in a tool dubbed the Open Source Social Network. This vulnerability would enable “arbitrary file read” – allowing an attacker to read any file in the system, whether permitted or not. There were a couple of obstacles to overcome during this process, which eventually involved writing a custom crypto cracking tool… but more on that later.

What is the Open Source Social Network?

The Open Source Social Network (OSSN) is pretty self-explanatory: it’s an open source social media platform that a user hosts themself. Reasonably easy to download and get running, it’s written in PHP, uses a MySQL backend, and has just shy of half a million downloads listed on its main site.

Source: https://www.businessinsider.com/coronavirus-email-scam-covid-19-phishing-false-information-who-cdc-2020-2?r=US&IR=T#check-the-senders-email-domain-and-see-if-it-matches-the-website-of-the-organization-they-say-they-work-for-then-check-the-urls-included-in-the-email-1

The scanner

The source code for OSSN is free to download either from the main site or from the OSSN GitHub. As it’s a PHP application, it’s relatively easy to read and keep track of what’s happening. That being said, there is a lot of code here. We ran a quick pass over it using an open source static code analyser to see if we could find any bugs.

The results

A progpilot (static PHP analyzer) scan only takes a couple of minutes to complete, so we immediately had some pretty interesting results. Check it out.

During this process we made an interesting discovery; we realised that Blowfish’s key expansion is not correctly implemented in PHP's OpenSSL extension. As detailed in this bug report, keys that are made up of less than 128 bits (16 bytes) are zero-padded but should use key cycling according to the algorithm's inventor. The PHP developers added a new constant, OPENSSL_DONT_ZERO_PAD_KEY, which instructs calls to openssl_encrypt() to use key cycling instead of zero-padding. The default implementation, however, still uses zero-padding and, at the time of writing, the constant is undocumented. OSSN contains its own key cycling function that is used to cycle a key up to 20 characters in length (so test1234 would become test1234test1234test).

Now, all that was left was to implement key cycling, start decrypting the ciphertext block by block, and checking the output for the known plaintext tmp/photos.
The C implementation performed an average of around 45,000 attempts per second, meaning it would take just over 13 hours to try every possible key. Cursory testing showed even faster speeds on higher-spec machines.

During the creation of this PoC, the OSSN developers released an update that changed their encryption process to use AES instead of Blowfish. We modified our PoC to create an AES version as well. Both can be found on GitHub.

Disclosure

Disclosing the vulnerability to Soft Lab 24, the company that develops OSSN, was a fairly smooth process. We reached out to their team via email, and they were quick to respond and push updates. After a few days of back and forth, we were unable to read any more files.

If you'd like to get hands on with this vulnerability in a safe, secure environment, log in to your Immersive Labs account and head over to Cyber Threat Intelligence.

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal