Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CraftCMS FTP Template Exploit (CVE-2024-56145) #19772

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

CraftCMS FTP Template Exploit (CVE-2024-56145) #19772

wants to merge 7 commits into from
+496 −0

Conversation

jheysel-r7
Copy link
Contributor

@jheysel-r7 jheysel-r7 commented Dec 29, 2024
edited
Loading

Adds an exploit module for CVE-2024-56145 which is a RCE in version prior to 3.9.14, 4.13.2, and 5.5.2. The module sends a GET request which instructs the application to reach out to an attacker controlled FTP server to download a .twig (or .html) file which contains a malicious payload.

Verification Steps

  • Start msfconsole
  • use exploit/linux/http/craftcms_ftp_template
  • set rhosts <target-ip>
  • set rport <target-port>
  • set lhost <attacker-ip>
  • exploit

@jheysel-r7 jheysel-r7 mentioned this pull request Dec 29, 2024
Open
@jheysel-r7 jheysel-r7 linked an issue Dec 29, 2024 that may be closed by this pull request
Request for CVE-2024-56145: Craft CMS RCE #19759
Open
@Chocapikk
Copy link
Contributor

Hello @jheysel-r7,

I’ve opened a PR (jheysel-r7#5) into your branch with the following changes:

  1. Fixed the Exploit:

    • I solved the issue by telling the client that passive mode (EPSV) isn’t implemented. The client still tries RETR afterward, which simplifies the process.
    • Handling passive mode would have made things much harder.

  2. Refactored Code:

    • I made the logic easier to follow.

  3. Improved Documentation:

    • Added setup instructions, affected versions, and usage examples for better clarity.

Let me know if you have any feedback or further suggestions!

Best,
Chocapikk

@jheysel-r7
Copy link
Contributor Author

Hey @Chocapikk,

Thank you so much for digging into the issue and pushing a fix with documentation. Very much appreciated! I was just returning to work on this, perfect timing. I've pulled in your PR and made a couple minor changes.

I readded the slight hack for the SSL datastore option. If the target CraftCMS application uses SSL over HTTP and you have the SSL datastore option set to true, the same datastore option gets used when starting the FTP server unfortunately so we need to temporarily disable it when starting the FTP server.

There was a mix of normal if statements and ternary operators in the overridden FTP Server methods. I thought it would be best to stay consistent and although they take up more lines I find normal if statements slightly easier to follow.

@Chocapikk
Copy link
Contributor

Hi @jheysel-r7, you're welcome! No problem at all, and thank you as well for implementing the changes.

@jheysel-r7 jheysel-r7 marked this pull request as ready for review January 10, 2025 19:47
@jheysel-r7 jheysel-r7 changed the title WIP CraftCMS FTP Template exploit CraftCMS FTP Template Exploit (CVE-2024-56145) Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Chocapikk Chocapikk Chocapikk left review comments

@wvu wvu wvu left review comments

@jvoisin jvoisin jvoisin left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Request for CVE-2024-56145: Craft CMS RCE
4 participants
@jheysel-r7 @Chocapikk @jvoisin @wvu