{"id":58248,"date":"2024-07-17T21:31:15","date_gmt":"2024-07-17T18:31:15","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179586\/KIS-2024-06.txt"},"modified":"2024-07-17T21:31:15","modified_gmt":"2024-07-17T18:31:15","slug":"xenforo-2-2-15-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/xenforo-2-2-15-remote-code-execution\/","title":{"rendered":"Xenforo 2.2.15 Remote Code Execution"},"content":{"rendered":"<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>XenForo &lt;= 2.2.15 (Template System) Remote Code Execution Vulnerability<br \/>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<\/p>\n<p>[-] Software Link:<\/p>\n<p>https:\/\/xenforo.com<\/p>\n<p>[-] Affected Versions:<\/p>\n<p>Version 2.2.15 and prior versions.<\/p>\n<p>[-] Vulnerability Description:<\/p>\n<p>XenForo implements a template system which gives complete control over<br \/>the layout of XenForo pages. Through these templates, it might be<br \/>possible to call certain &#8220;callback methods&#8221;, however there is a sort<br \/>of &#8220;sandbox&#8221; which allows to solely call read-only methods: a method<br \/>is to be considered read-only when it begins with one of the allowed<br \/>prefixes, such as &#8220;get&#8221; or &#8220;filter&#8221;. Malicious users might be able to<br \/>bypass this &#8220;sandbox&#8221; by abusing the getRepository() method from the<br \/>XF\\Mvc\\Entity\\Manager class in order to get an instance object of the<br \/>XF\\Util\\Arr class, and from there they can abuse its filterRecursive()<br \/>static method in order to execute arbitrary callbacks or functions<br \/>(internally, this method calls the array_filter() PHP function with an<br \/>attacker-controlled &#8220;callback&#8221; parameter). As such, this can be<br \/>exploited to e.g. execute arbitrary OS commands by using a payload<br \/>like the following within a template, which will try to execute the<br \/>passthru() PHP function passing to it the string &#8220;whoami&#8221; as argument,<br \/>potentially resulting in the execution of the &#8220;whoami&#8221; command on the<br \/>web server:<\/p>\n<p>{{ $xf.app.em.getRepository(&#8216;XF\\Util\\Arr&#8217;).filterRecursive([&#8216;whoami&#8217;],&#8217;passthru&#8217;)<br \/>}}<\/p>\n<p>Successful exploitation of this vulnerability requires an account with<br \/>permissions to administer styles or widgets.<\/p>\n<p>[-] Solution:<\/p>\n<p>Update to a fixed version or apply the vendor patches.<\/p>\n<p>[-] Disclosure Timeline:<\/p>\n<p>[22\/02\/2024] &#8211; Vulnerability details sent to SSD Secure Disclosure<br \/>[05\/06\/2024] &#8211; Vendor released patches and fixed versions<br \/>[14\/06\/2024] &#8211; CVE identifier requested<br \/>[16\/06\/2024] &#8211; CVE identifier assigned<br \/>[16\/07\/2024] &#8211; Coordinated public disclosure<\/p>\n<p>[-] CVE Reference:<\/p>\n<p>The Common Vulnerabilities and Exposures project (cve.mitre.org) has<br \/>assigned the name CVE-2024-38458 to this vulnerability.<\/p>\n<p>[-] Credits:<\/p>\n<p>Vulnerability discovered by Egidio Romano.<\/p>\n<p>[-] Other References:<\/p>\n<p>https:\/\/xenforo.com\/community\/threads\/222133<br \/>https:\/\/ssd-disclosure.com\/ssd-advisory-xenforo-rce-via-csrf\/<\/p>\n<p>[-] Original Advisory:<\/p>\n<p>http:\/\/karmainsecurity.com\/KIS-2024-06<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;XenForo &lt;= 2.2.15 (Template System) Remote Code Execution Vulnerability&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211; [-] Software Link: https:\/\/xenforo.com [-] Affected Versions: Version 2.2.15 and prior versions. [-] Vulnerability Description: XenForo implements a template system which gives complete control overthe layout of XenForo pages. Through these templates, it might bepossible to call certain &#8220;callback methods&#8221;, however there is a sortof &#8220;sandbox&#8221; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58248","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58248"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58248\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}