id: CVE-2024-56145

info:
  name: Craft CMS - Remote Code Execution via Template Path Manipulation
  author: jackhax
  severity: critical
  description: |
    This template identifies a critical Remote Code Execution (RCE) vulnerability in Craft CMS, identified as GHSA-2p6p-9rc9-62j9.
    The vulnerability exists due to improper handling of the `--templatesPath` query parameter, allowing attackers to execute arbitrary code by referencing malicious Twig templates.
  impact: |
    Successful exploitation of this vulnerability could allow an unauthenticated attacker to perform remote code execution.
  remediation: |
    Upgrade CraftCMS to either >5.5.2 or >4.13.2 or >3.9.14. Or If you can't upgrade yet, and register_argc_argv is enabled, you can disable it to mitigate the issue.
  reference:
    - https://github.com/advisories/GHSA-2p6p-9rc9-62j9
    - https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
    - https://github.com/Chocapikk/CVE-2024-56145
    - https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
    - https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
    cvss-score: 9.3
    cve-id: CVE-2024-56145
    cwe-id: CWE-94
    epss-score: 0.93926
    epss-percentile: 0.99887
    cpe: cpe:2.3:a:craftcms:craft:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: craftcms
    product: cms
    shodan-query:
      - http.html:"craftcms"
      - http.favicon.hash:"-47932290"
    fofa-query:
      - icon_hash=-47932290
      - body=craftcms
    publicwww-query: craftcms
  tags: cve,cve2024,rce,craftcms,ssti,kev,vkev,vuln

variables:
  nonce: "{{rand_int(1000000000,9999999999)}}"

http:
  - raw:
      - |
        GET ?--configPath=/nuclei_test/{{nonce}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{nonce}}'
          - 'mkdir()'
          - 'Permission denied'
          - 'No such file or directory'
        condition: and

      - type: status
        status:
          - 503
# digest: 4a0a00473045022100ec5fd60f23b7ee9cffa19444bcdb6ab570a4615da047440f2787713a070e16dc0220086636c4357f49208c77fbd4671072c1b4c73a039863e9dcf3006389e28994c1:922c64590222798bb761d5b6d8e72950