Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for CVE-2024-56145: Craft CMS RCE #19759

Open
Chocapikk opened this issue Dec 20, 2024 · 5 comments · May be fixed by #19772
Open

Request for CVE-2024-56145: Craft CMS RCE #19759

Chocapikk opened this issue Dec 20, 2024 · 5 comments · May be fixed by #19772
Assignees
@jheysel-r7
Labels
suggestion-module New module suggestions

Comments

@Chocapikk
Copy link
Contributor

Summary
This issue concerns a vulnerability in Craft CMS (CVE-2024-56145) discovered by Assetnote, allowing Remote Code Execution (RCE).

Basic example

I attempted to create a Metasploit module for this vulnerability but encountered difficulties simulating an FTP server using sockets to deliver the malicious payload. A fully functional Python implementation of the exploit, along with lab setup instructions, can be found here: https://github.com/Chocapikk/CVE-2024-56145 .

For more details about the vulnerability, refer to Assetnote’s blog post: https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms

Motivation

It's cool :)

cc: @stephenfewer @jheysel-r7 @h00die-gr3y @h00die
@Chocapikk Chocapikk added the suggestion-module New module suggestions label Dec 20, 2024
@Chocapikk
Copy link
Contributor Author

Just an update, for information. The PoC has been modified, by putting a payload in index.html works too. And don't rely on the http status code for the check. There can be 200 as well as 503 (or any 50x)

Hoping someone wants to work on this vulnerability :)

@jheysel-r7 jheysel-r7 self-assigned this Dec 24, 2024
@jheysel-r7
Copy link
Contributor

Hey @Chocapikk, thanks for the module suggestion! This does look like a cool exploit. Great PoC, I'll start taking a look and let you know how it goes.

@jheysel-r7 jheysel-r7 moved this to In Progress in Metasploit Kanban Dec 24, 2024
@h00die-gr3y
Copy link
Contributor

h00die-gr3y commented Dec 24, 2024
edited
Loading

@Chocapikk and @jheysel-r7,
For your inspiration, there is a Ruby FTP server library from Wayne Conrad that might help to overcome the challenges @Chocapikk mentioned in simulating a FTP server.
You might want to check this out before building your own code.

@Chocapikk
Copy link
Contributor Author

@Chocapikk and @jheysel-r7, For your inspiration, there is a Ruby FTP server library from Wayne Conrad that might help to overcome the challenges @Chocapikk mentioned in simulating a FTP server. You might want to check this out before building your own code.

Ohhh okay thanks @h00die-gr3y! Actually I didn't know exactly if I could import other modules than those already available on metasploit that's why I had an issue making this module.

@jheysel-r7
Copy link
Contributor

Hey @h00die-gr3y, thanks for the heads up. I tried implementing the FTP Server using what we already have in metasploit and posted my findings in the drafted PR: #19772

If simulating the FTP server doesn't end up working out using the Ruby FTP server library from Wayne Conrad seems like it would simplify things greatly. Much appreciated!

@jheysel-r7 jheysel-r7 linked a pull request Dec 29, 2024 that will close this issue
WIP CraftCMS FTP Template exploit #19772
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jheysel-r7 jheysel-r7

Labels
suggestion-module New module suggestions
Projects
Metasploit Kanban
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP CraftCMS FTP Template exploit jheysel-r7/metasploit-framework
3 participants
@jheysel-r7 @h00die-gr3y @Chocapikk