Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2022-24734

Disclosure Date: March 09, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

MyBB is a free and open source forum software. In affected versions the Admin CP’s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the Can manage settings? permission. MyBB’s Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.

Add Assessment

5
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This is an arbitrary code injection vulnerability caused by unsanitized user input in a call to the PHP eval() function.

...
else if($type[0] == "php")
{
    $setting['optionscode'] = substr($setting['optionscode'], 3);
    eval("\$setting_code = \"".$setting['optionscode']."\";");
}
...

To trigger the vulnerability and achieve remote command execution, an attacker will have to create a crafted configuration setting with the payload and send a second request to trigger the execution. A Metasploit module, based on the original PoC, is available.

Note that authentication to Admin CP is required for this exploit to work and the account must have rights to add or update settings. Also, since the user running PHP is usually a non-privileged user, the exploit won’t get you privileged access.

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • mybb

Products

  • mybb

Additional Info

Technical Analysis