An Out-of-Date CMS is No Match for a Skilled Intruder

Web Attack

Article from Issue 304/2026

Author(s): Chris Binnie

Scary things can happen if you don't keep your CMS up to date. We'll show you how an unpatched vulnerability can lead to privilege escalation and root access.

Pause for a moment and consider all the applications that are powering today's online services, and then step back to consider the attack surface that each one of them presents. In this article, I will look at how a security bug in an online application might allow an attacker to gain full access to the underlying Linux server running it. The prize, in this case, is that the attacker will acquire root access to the server.

The journey starts with a security bug in the application itself, which is an out-of-date version of the CMS Made Simple content management system (CMS). The bug allows an attacker, via a carefully crafted URL, to take advantage of a time-based SQL Injection (SQLi), which ultimately affects the database powering the application. The exploit doesn't even need a valid login.

The next step is to brute-force access to the underlying Linux system, via SSH, before then trying to achieve the final goal: becoming the superuser root, which allows an attacker to take over the system.

I should add that the vendor patched this security hole a long time ago, but users out in the wild have been known to keep old systems online for far too long, so this story is not so different from attacks that happen every day on poorly maintained systems.

The tools I will describe in this article can cause serious disruption to online services. Do not run these tools on systems that you do not own or have explicit permission to test against. See the box entitled "Shop Talk" for a description of my lab environment.

Shop Talk

A quick word about my lab, in case you want to replicate these steps in a setting similar to my own. I am using VirtualBox from Oracle, and I have created an older version of Linux on a virtual machine running Ubuntu Linux 16.04.6. For the Linux Apache MySQL PHP (LAMP) installation, I have purposely installed the following software versions, so that I know that I can use a vulnerable version of the CMS application:

Web server: apache2 2.4.18-2ubuntu3.10
Dynamic scripting language: PHP 7.3.8-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Aug 7 2019 09:51:47) (NTS)
Database: mysql-client-5.7 5.7.27-0ubuntu0.16.04.1

To install specific package versions on Debian Linux derivatives like Ubuntu, use the equals sign as follows

$ apt-get install apache2=2.4.29-1

if you want the correct PHP packages. Look online [1] for an excellent write-up showing the steps to get LAMP running.

Once the packages are installed, run the usual secure install command with MySQL, as so:

$ mysql_secure_installation
Enter root password

To install PHP, I used the following commands and then restarted the web server, setting both Apache and MySQL to run after a reboot:

$ apt-get install php7.0 libapache2-mod-php7.0 php7.0-mysql
$ systemctl restart apache2
$ systemctl enable mysql
$ systemctl enable apache2

To see if PHP is working, I changed to the webroot directory /var/www/html and created a file called info.php with just this single line as its contents:

<?php
phpinfo();
?>

See Figure 1.

Figure 1: Older PHP versions look like this when they're working on 16.04.

VirtualBox

The next step is to make sure networking is configured in VirtualBox. In addition to the normally built-in NAT network interface set up for a virtual machine (VM), I created a host-only network interface. To achieve this, the first step is to create a host-only network, called vboxnet, in order to set an IP Address range that VMs and the host can share without using port forwarding (Figure 2).

Figure 2: Creating a host-only network in VirtualBox.

The host-only network will serve as a "global" network interface that all VMs can use (Figure 3). With VirtualBox running and the host-only network set up, the VM can now communicate directly with the host and vice versa.

Figure 3: Tell the VM to use the host-only adapter.

Perfectly Simple

CMS Made Simple [2] is a respectable, full-featured CMS that suffered a security issue several years ago that has been patched in later versions. The developers of any PHP-driven product have my sympathies when it comes to security. PHP is a fantastic language and relatively easy to pick up, but, as with many dynamic server-side languages that are open to the scrutiny of online attacks, security needs to be at the forefront of all developers' minds.

To get a version of the CMS that contains the security bug and also get an understanding of how to install the application, visit the installation page [3]. You'll need to look for any version less than version 2.2.10 on the download page [4].

What's in a Name?

The vulnerability requires manipulating database input. In other words, this out-of-date version of the application is vulnerable to an attack based around a remote SQLi. As you can see in Figure 4 (from the National Vulnerability Database, NVD [5]), the security bug was registered as a Common Vulnerability and Exposure (CVE) and allocated the number: CVE-2019-9053.

Figure 4: The CVE marked as High risk: 8.1/10. Source: https://nvd.nist.gov/vuln/detail/CVE-2019-9053

Look online for additional details about the CVE [6].

1 2 3 4 Next »

Buy this article as PDF

Download Article PDF now with Express Checkout

Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES

Print Issues

Digital Issues

SUBSCRIPTIONS

Print Subscriptions

Digital Subscriptions