A Ghost Tale

Back in January, me and other two guys, tested Ghost CMS doing a Web Application PT and a code review.
I won't talk here of the whole test, but I'll focus on my findings trying to explain what brings me to discover them.
You can download the whole report here.

For my findings I got the following CVEs:

CVE-2015-1408 - Privilege Reduction

CVE-2015-1409 - Privilege Bypass

CVE-2015-1410 - Article author spoofing

CVE-2015-1411 - Unsafe token storage

But I'll talk only about the first three, mainly because they are the most interesting ones.

CVE-2015-1408 Privilege Reduction

In Ghost CMS there are four different kind of users:

  • Owner
  • Administrator
  • Editor
  • Author

The vulnerability allows any user of one of above categories to remove one or more level of authorization to any other user, for example, an Author was able to downgrade an Administrator to Author, or Moderator, role.

alt

As you can see from the image above, when an user update his own profile he passes several parameters via PUT request, including his own Role and GroupID. Some checks are made if we try to increase those parameters, but no check are made if, instead, we try to reduce them.

alt

Shortly, if we pass the role check, the other parameters are okay, and saved to the profile. That means that our privilege reduction can easily leads us to a privilege escalation.
Suppose for example that we are an Author user and we want to gain access to administrative privilegies. Then, we can reduce the privilegies of the Owner account making him as an Administrator and, in the same request, change his email address to one of our own. Then simply use the "Passoword Forgot" feature to reset his password, et voilĂ .

CVE-2015-1409 Privilege Bypass

As any CMS, also Ghost allows the user to create and save drafts of their posts before publish or edit them.
The issue here is pretty simple, the user can do a GET request in order to view all his previouse saved drafts, specifing his username in the request, but not check is made if this parameter is changed. An Author can then read all drafts saved by an Owner, for example.

alt

After some discussion with the Ghost CMS's referent they decide to not fix this vulnerability.

CVE-2015-1410 Article author spoofing

This may be the most interesting vulnerabilities of my findings, lemme explain.
At some point of my research I started looking how a post would be saved into the CMS, mainly to search some XSSes, what I've found is that, similar to the first vulnerability, all details of the post is passed through a PUT request.

alt

As you can see we can edit the ID of who created the post, who is the author of the post, who published it, and a lot of other less interesting stuff. Since no check was made to verify that those parameters are setted for the right user we can publish an article with the name of someone's else account. But that's just half of the fun!
Indeed, if I publish a post in name of the Owner he will gain all the rights on that post, including the possibility to delete it. But as written above we have several interesting parameters to play with: what if, for example, we set the Owner as the publisher of a post but we set as author of the very same post an other user, maybe a non-existing user?
Yes, the post will be published, the blog's readers will see it as the Owner wrote and published it but since we set a non-existing user as author, this non-existing user is the real owner of the post blog, so only him is able to delete/edit the post. Funny eh?

I would like to spend a couple of words about the process of the disclosure of this vulnerability. First of all let me say thanks to Hannah form the Ghost team who handled the issue very professionaly and updated me often with all the details, asking in some case for advices.
I sent the report to the Ghost team on January 26 and I got in contact with Hannah the very next day. The disclosure policy gave them 30 days but on February 24 they said they would need still a couple of days to push the fixes and I gave them, and as promised, on March 2 they published version 0.5.9 which contains fixes for some of our vulnerabilites.
Shortly, great team!

If you find it interesting you may want to follow me on Twitter for updates, etc.