Client Mode Remote Code Execution – Breakdance <= 1.7.0 – CVE-2024-31390

| in


Affected pluginBreakdance
Active installsNot available – Commercial
Vulnerable version<= 1.7.0
Audited version1.7.0
Fully patched versionUnpatched
Recommended remediationSee Misc
CVECVE-2024-31390 (Patchstack link)

Description


The Breakdance page builder is vulnerable to remote code execution (RCE) in versions <= 1.7.0, which means that an attacker can run arbitrary code/system commands and take over the site/server.

To exploit this vulnerability, a user must have been granted “builder access” to Breakdance in the past. “Content-edit only” access is sufficient.

Breakdance has a dedicated Client Mode feature, which is commonly used to give non-technical end-users highly restricted access to the page builder.

If one of these accounts is compromised (or used maliciously), it can be used to achieve RCE.

Proof of concept


Technical details will not be released for at least a week.

Proposed patch


Technical details will not be published for at least a week.

Timeline


Vendor contactedFebruary 09, 2024 (Snicco contacts Patchstack)
First ResponseFebruary 10, 2024 (Patchstack validated the issue)
Fully patched atNot patched
Breakdance leaked vulnerability detailsApril 2, 2024
Publicly disclosedApril 3, 2024

Miscellaneous


The Breakdance team did not consider this a security vulnerability.

According to them, the “Client Mode” never aimed to perform any sorts of permission check, but rather only simplify the visual editor for clients.

The documentation contains the following:

Do not grant “Edit Content” access to untrusted users, as a skilled user could escalate their privileges to a site admin.

https://breakdance.com/documentation/other/security/


Regardless, we (and Patchstack) strongly disagree with this assessment, as it is roughly analogous to WordPress Core saying something like:

“Contributors can now do everything an admin can. Instead of enforcing permissions, WordPress now just hides the sensitive admin menu links in the sidebar – “Be sure to make only trusted users a contributor”.

This mindset goes against anything that access control is supposed to do.

Agencies, undoubtedly, use this functionality to give builder access to non-admin users because they rightfully reason that their clients can’t be trusted to keep an admin account secure (bad security hygiene, vulnerable to phishing, weak passwords, etc.), but content-only access sounds fine.

In fact, this functionality, as it’s currently standing, turns everyone into an admin.

If you can execute random code, you’re an admin.

It does not matter if you trust your clients to not hack their own sites. They won’t, but the attacker that compromises your customers’ account.

We hope the Breakdance team reconsiders their decision, especially given that the proposed patch is not too difficult to implement.


4 responses

  1. This is what Louis from breakdance stated in an email, so maybe for the sake of us as clients both parties should come together and resolve this. Snicco and Patchstack also make a good point.


    Hello,

    We are writing to let you know that an invalid RCE vulnerability report for Breakdance is scheduled to be published today.

    This report is invalid, and the issue reported is not a real RCE vulnerability.

    You can learn more at: https://breakdance.com/preemptive-clarification-no-rce-vulnerability-in-upcoming-april-2-report/.

  2. Caleb Durant

    You never emailed them back.

Leave a Reply

Your email address will not be published. Required fields are marked *