Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web—and beyond.
Craft 是一种灵活、用户友好的 CMS，用于在 Web 及其他方面创建自定义数字体验。

You have a ton of options when it comes to choosing a CMS. Craft is uniquely equipped to deliver high-quality, content-driven experiences to your clients and their audiences, in large part due to its blank-slate approach to content modeling.
在选择CMS时，您有很多选择。Craft 具有独特的能力，可以为您的客户及其受众提供高质量的内容驱动型体验，这在很大程度上要归功于其内容建模的白板方法。

We recently encountered a target running CraftCMS in an engagement, and discovered a Remote Code Execution vulnerability (CVE-2023-41892) that allowed us to compromise the target. While the patch is now available, all CraftCMS users are strongly encouraged to apply the additional mitigation at the end of this post to keep your instance secure.
我们最近在一次活动中遇到了一个运行 CraftCMS 的目标，并发现了一个远程代码执行漏洞 （CVE-2023-41892），该漏洞允许我们破坏目标。虽然该补丁现已可用，但强烈建议所有 CraftCMS 用户在本文末尾应用额外的缓解措施，以确保您的实例安全。

The vulnerability 漏洞

Like other content management systems, the pre-auth attack surface of CraftCMS is relatively limited. However, the \craft\controllers\ConditionsController class quickly got our attention because its beforeAction method seems to do something with object creation. 
与其他内容管理系统一样，CraftCMS的预身份验证攻击面相对有限。但是，该 \craft\controllers\ConditionsController 类很快引起了我们的注意，因为它 beforeAction 的方法似乎与对象创建有关。

public function beforeAction($action): bool
{
   $baseConfig = Json::decodeIfJson($this->request->getBodyParam('config'));
   $config = $this->request->getBodyParam($baseConfig['name']);
   $newRuleType = ArrayHelper::remove($config, 'new-rule-type');
   $conditionsService = Craft::$app->getConditions();
   $this->_condition = $conditionsService->createCondition($config);
   Craft::configure($this->_condition, $baseConfig);
...

   \yii\BaseYii::configure
        \yii\base\Component::__set
            \yii\BaseYii::createObject
                ...

After spending some time understanding the code, we confirmed that the endpoint gave us the ability to create an arbitrary object.
在花了一些时间理解代码后，我们确认端点使我们能够创建任意对象。

The codebase of CraftCMS and its dependencies contains several gadgets that can be used to escalate the object creation into something meaningful, like limitedly calling some methods:
CraftCMS的代码库及其依赖项包含几个小工具，可用于将对象创建升级为有意义的内容，例如有限地调用某些方法：

\GuzzleHttp\Psr7\FnStream

public function __destruct()
{
   if (isset($this->_fn_close)) {
       call_user_func($this->_fn_close);
   }
}

 Or including arbitrary files:
或包含任意文件：

\yii\base\BaseObject::__construct
    \yii\rbac\PhpManager::init
        \yii\rbac\PhpManager::load
            \yii\rbac\PhpManager::loadFromFile

protected function loadFromFile($file)
{
   if (is_file($file)) {
       return require $file;
   }


   return [];
}

The latter seemed to be a quick win for us, as we could inject some PHP code into the CraftCMS’s log file and then include it, just like in a CTF challenge (and we can even use the @storage variable to locate the log file in case it is placed somewhere other than the default location, which makes the exploit easier). 
后者对我们来说似乎是一个快速的胜利，因为我们可以将一些PHP代码注入到CraftCMS的日志文件中，然后将其包含在内，就像在CTF挑战中一样（我们甚至可以使用该 @storage 变量来定位日志文件，以防它被放置在默认位置以外的其他位置，这使得漏洞利用更容易）。

Unfortunately, in the case of our target, no log files are available on the server. We could leverage a PHP behavior to create temporary files, but we didn’t know the exact filename to include (the FindFirstFile / < trick could not be applied here since we were dealing with a Linux server). On the other hand, including a remote file was also not possible.
不幸的是，对于我们的目标，服务器上没有可用的日志文件。我们可以利用 PHP 行为来创建临时文件，但我们不知道要包含的确切文件名（ FindFirstFile / < 技巧不能在这里应用，因为我们正在处理 Linux 服务器）。另一方面，也不可能包含远程文件。

That’s when we remembered an excellent research from Arseniy Sharoglazov, because the described vulnerability is identical to what we were working on. In his post, Arseniy revealed that creating an Imagick object with the VID scheme would result in an arbitrary file write, and the beauty of the VID scheme is its ability to reference a file without knowing the filename. That’s all we needed.
就在那时，我们想起了Arseniy Sharoglazov的一项出色研究，因为所描述的漏洞与我们所做的相同。Arseniy 在他的帖子中透露，使用该方案创建一个 Imagick 对象会导致任意文件写入， VID 该方案 VID 的美妙之处在于它能够在不知道文件名的情况下引用文件。这就是我们所需要的。

The rest of the work was straightforward, and after some testing, we got an exploit that worked perfectly on the target environment and achieved RCE.
其余的工作很简单，经过一些测试，我们得到了一个在目标环境中完美运行的漏洞，并实现了RCE。

Recommendations 建议

Besides applying the patch, we highly recommend all CraftCMS users to rotate the CRAFT_SECURITY_KEY immediately. We have confirmed that knowing the key will lead to an unauthenticated RCE on a widely used CraftCMS plugin, and there may be more.
除了应用补丁外，我们强烈建议所有CraftCMS用户 CRAFT_SECURITY_KEY 立即轮换补丁。我们已经确认，知道密钥将导致广泛使用的 CraftCMS 插件上出现未经身份验证的 RCE，并且可能还有更多。