snicco

Taking the pain out of enterprise WordPress development

Client Mode Remote Code Execution – Breakdance <= 1.7.0 – CVE-2024-31390

Calvin Alkan

| in

Affected pluginBreakdance
Active installsNot available – Commercial
Vulnerable version<= 1.7.0
Audited version1.7.0
Fully patched versionUnpatched
Recommended remediationSee Misc
CVECVE-2024-31390 (Patchstack link)

Description

The Breakdance page builder is vulnerable to remote code execution (RCE) in versions <= 1.7.0, which means that an attacker can run arbitrary code/system commands and take over the site/server.

To exploit this vulnerability, a user must have been granted “builder access” to Breakdance in the past. “Content-edit only” access is sufficient.

Breakdance has a dedicated Client Mode feature, which is commonly used to give non-technical end-users highly restricted access to the page builder.

If one of these accounts is compromised (or used maliciously), it can be used to achieve RCE.

Proof of concept

Technical details will not be released for at least a week.

Proposed patch

Technical details will not be published for at least a week.

Timeline

Vendor contactedFebruary 09, 2024 (Snicco contacts Patchstack)
First ResponseFebruary 10, 2024 (Patchstack validated the issue)
Fully patched atNot patched
Breakdance leaked vulnerability detailsApril 2, 2024
Publicly disclosedApril 3, 2024

Miscellaneous

The Breakdance team did not consider this a security vulnerability.

According to them, the “Client Mode” never aimed to perform any sorts of permission check, but rather only simplify the visual editor for clients.

The documentation contains the following:

Do not grant “Edit Content” access to untrusted users, as a skilled user could escalate their privileges to a site admin.

https://breakdance.com/documentation/other/security/


Regardless, we (and Patchstack) strongly disagree with this assessment, as it is roughly analogous to WordPress Core saying something like:

“Contributors can now do everything an admin can. Instead of enforcing permissions, WordPress now just hides the sensitive admin menu links in the sidebar – “Be sure to make only trusted users a contributor”.

This mindset goes against anything that access control is supposed to do.

Agencies, undoubtedly, use this functionality to give builder access to non-admin users because they rightfully reason that their clients can’t be trusted to keep an admin account secure (bad security hygiene, vulnerable to phishing, weak passwords, etc.), but content-only access sounds fine.

In fact, this functionality, as it’s currently standing, turns everyone into an admin.

If you can execute random code, you’re an admin.

It does not matter if you trust your clients to not hack their own sites. They won’t, but the attacker that compromises your customers’ account.

We hope the Breakdance team reconsiders their decision, especially given that the proposed patch is not too difficult to implement.


4 responses

  1. robert

    This is what Louis from breakdance stated in an email, so maybe for the sake of us as clients both parties should come together and resolve this. Snicco and Patchstack also make a good point.


    Hello,

    We are writing to let you know that an invalid RCE vulnerability report for Breakdance is scheduled to be published today.

    This report is invalid, and the issue reported is not a real RCE vulnerability.

    You can learn more at: https://breakdance.com/preemptive-clarification-no-rce-vulnerability-in-upcoming-april-2-report/.

    Reply
    1. Calvin Alkan

      Please read: https://patchstack.com/articles/unpatched-authenticated-rce-in-oxygen-and-breakdance-builder/

      Reply
  2. Caleb Durant

    You never emailed them back.

    Reply
    1. Calvin Alkan

      We were never in contact with the Breakdance team.

      Read: https://patchstack.com/articles/unpatched-authenticated-rce-in-oxygen-and-breakdance-builder/

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *