Umbraco CMS TemplateService Remote Code Execution

MWR Labs have discovered a vulnerability in Umbraco CMS, which would allow an unauthenticated attacker to execute arbitrary ASP.Net code on the affected server. The vulnerability exists in the TemplateService component, which is exposed by default via a SOAP-based web service.

The vulnerability is caused due to the update() function not checking that the user has authenticated before processing the request. The functionality of the update() function allows a user to update the contents of templates for the CMS. This vulnerability can be exploited by sending a specially crafted SOAP request to the TemplateService component, updating the CMS template to contain malicious ASP.Net code.

If should be noted that this vulnerability affects instances of Umbraco CMS, even when the web services interface is not explicitly enabled.

Package Name
Umbraco CMS
Date
2013-11-29
Affected Versions
All versions prior to 6.0.4
CVE Reference
CVE-2013-4793
Authors
MWR Labs
Severity
High Risk
Local/Remote
Remote
Vulnerability Class
Remote Code Execution
Vendor
Umbraco
Vendor Response
Fix Released

Vulnerable Code

The vulnerable code from the TemplateService class (src/umbraco.webservices/templates/templateService.cs) is shown below:

[WebMethod]
public void update(templateCarrier carrier, string username, string password)
{

    ...
    cms.businesslogic.template.Template template;
    try
    {
        template = new cms.businesslogic.template.Template(carrier.Id);
    }
    ...
    template.Design = carrier.Design;
    template.Save();

Interim Workaround

The vendor recommends deleting umbraco.webservices.dll, which is the library responsible for processing web services requests.

Solution

The vendor has released a fix for this issue, which remotes the web services component completely.

If it is not possible to apply this fix, MWR propose adding a call to the Authenticate() function at the start of the TemplateService update() function. It should be noted that this is not an approved fix by the vendor, and care should be taken to ensure that this does not affect the operation of the application.