Remote Code Execution Vulnerability in Craft CMS, PoC Published

### #CraftCMSExploit #RCEvulnerability #PHPsecurity

Summary: A critical vulnerability (CVE-2024-56145) in Craft CMS allows unauthenticated remote code execution due to improper handling of command-line options in a web context. This flaw poses a significant risk to over 150,000 websites using the platform, necessitating immediate updates or mitigations.

Threat Actor: Unknown | Unknown
Victim: Craft CMS | Craft CMS

Key Point :

  • Vulnerability allows remote code execution (RCE) due to the register_argc_argv configuration in PHP.
  • Attackers can exploit the bootstrap/bootstrap.php file without verifying the execution environment.
  • Bypassing security checks using the ftp:// wrapper enables the injection of malicious payloads.
  • A proof-of-concept exploit code was created and shared on GitHub for easy exploitation.
  • Immediate patches were released by the Craft CMS team, urging users to update to the latest versions.

Security researchers at Assetnote have disclosed a critical vulnerability (CVE-2024-56145) in Craft CMS, a widely-used PHP-based content management system. This flaw, assigned a CVSS score of 9.3, enables unauthenticated remote code execution (RCE) under specific configurations, posing a severe risk to affected installations.

The vulnerability exploits the behavior of the register_argc_argv configuration in PHP. By default, this setting allows query string arguments to populate the $_SERVER[‘argv’] array, mimicking command-line input. This behavior, while useful in some contexts, inadvertently enables malicious actors to pass options via the web that were intended solely for the CLI environment.

As Assetnote explains, “Critically, the Craft CMS official docker has register_argc_argv = On. This sets the stage for our bug.”

The flaw lies in the bootstrap/bootstrap.php file of Craft CMS, where command-line options are processed without verifying whether the code is running in a CLI environment. Attackers can exploit this oversight to manipulate paths like –templatesPath or –configPath, coercing the CMS into loading arbitrary files.

Leveraging this vulnerability for RCE required creative use of PHP’s file inclusion mechanisms. Researchers initially encountered barriers such as Craft CMS’s defensive file_exists checks, which block common methods like php://filter or HTTP file wrappers. However, they discovered that the ftp:// wrapper bypasses these checks when loading template files.

By hosting malicious Twig template files on a controlled FTP server, researchers were able to inject executable payloads into Craft CMS. A clever use of Twig’s sort filter allowed them to bypass Craft CMS’s built-in sandboxing mechanisms and execute system commands. For instance:

{{ ['system', 'id'] | sort('call_user_func') }}

This payload successfully called the system function, achieving remote code execution.

To easy exploit CVE-2024-56145, security researcher Chocapikk created a proof-of-concept (PoC) exploit code written in Python and shared it on GitHub.

Craft CMS powers over 150,000 websites, ranging from small businesses to large enterprises. Assetnote notes, “We found this technology to be prevalent across large enterprises and customers of our Attack Surface Management platform, warranting a thorough investigation.”

The Craft CMS team responded promptly, releasing patches within 24 hours of disclosure. Users are strongly urged to update to Craft CMS versions 5.5.2 or 4.13.2 and later. For those unable to upgrade, disabling register_argc_argv in php.ini offers a temporary mitigation:

register_argc_argv = Off

Related Posts:

Source: https://securityonline.info/cve-2024-56145-remote-code-execution-vulnerability-in-craft-cms-poc-published