CVE-2014-8684
published 2017-09-19CVE-2014-8684: CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently…
PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.52%
99.3th percentile
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codeigniter | codeigniter | <= 2.2.6 | — |
| codeigniter | framework | >= 0 < 3.0.0 | 3.0.0 |
| kohana | core | >= 0 < 3.3.3 | 3.3.3 |
| kohanaframework | kohana | — | — |
| kohanaframework | kohana | — | — |
| kohanaframework | kohana | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by looking for HTTP responses containing both 'X-Powered-By: PHP/5.2.13' and 'Server: lighttpd/1.4.28' headers combined with a body containing 'Login to BlackArmor' — this fingerprints the vulnerable Seagate NAS target. ↗
- →Monitor for requests to the login page carrying a 'ci_session' cookie whose decoded/decrypted PHP object contains a 'language' parameter with path traversal sequences (e.g., '../') and a null byte, indicating LFI exploitation via the CodeIgniter session cookie. ↗
- →Alert on POST requests to the login page that include both a 'ci_session' cookie and a POST body parameter whose value is a base64-encoded PHP payload — this is the stager execution step of the exploit. ↗
- →Detect POST requests to '/index.php/mv_system/set_general_setup' with a 'general_setup' parameter containing XML with embedded PHP eval/base64_decode payloads, indicating the attacker is writing a stager to disk via the device description field. ↗
- →The exploit uses a known static XOR key ('0f0a000d02011f0248000d290d0b0b0e03010e07') to encrypt/decrypt CodeIgniter session cookies. Detecting this key in network traffic or cookie values can identify exploitation of CVE-2014-8684/CVE-2014-8687. ↗
- ·The exploit targets a specific Seagate Business NAS device (STBN300) running PHP/5.2.13 and lighttpd/1.4.28. The static XOR key and cookie name ('ci_session') are hardcoded defaults for this device; other CodeIgniter deployments may use different keys. ↗
- ·The vulnerability is exploitable without authentication, as it manifests in the language file inclusion on the login page before any user session is established. ↗
- ·The CVE also affects CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2, not just Seagate NAS devices. The timing/hash comparison weakness is the root cause enabling session cookie spoofing and PHP object injection. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
CodeIgniter and Kohana vulnerable to PHP Object Injection
ghsa·2022-05-17
CVE-2014-8684 [CRITICAL] CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
OSV
CodeIgniter and Kohana vulnerable to PHP Object Injection
osv·2022-05-17
CVE-2014-8684 [CRITICAL] CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter and Kohana vulnerable to PHP Object Injection
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
No detection rules found.
Exploit-DB
Seagate Business NAS - Remote Command Execution (Metasploit)
exploitdb·2015-03-04
CVE-2014-8686 Seagate Business NAS - Remote Command Execution (Metasploit)
Seagate Business NAS - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class MetasploitModule 'Seagate Business NAS Unauthenticated Remote Command Execution',
'Description' => %q{
Some Seagate Business NAS devices are vulnerable to command execution via a local
file include vulnerability hidden in the language parameter of the CodeIgniter
session cookie. The vulnerability manifests in the way the language files are
included in the code on the login page, and hence is open to attack from users
without the need for authentication. The cookie can be easily decrypted using a
known static encryption key and re-encrypte
Metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
metasploit
Seagate Business NAS Unauthenticated Remote Command Execution
Seagate Business NAS Unauthenticated Remote Command Execution
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device.
Bugzilla
CVE-2014-8684 php-Kohana: Timing attack and PHP object injection
bugzilla·2017-09-20·CVSS 9.8
CVE-2014-8684 [CRITICAL] CVE-2014-8684 php-Kohana: Timing attack and PHP object injection
CVE-2014-8684 php-Kohana: Timing attack and PHP object injection
Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.
References:
http://seclists.org/fulldisclosure/2014/May/54
Upstream patch:
https://github.com/kohana/core/commit/66b409a6da2960130888989534ff1799532b8f32
Discussion:
Created php-Kohana tracking bugs for this issue:
Affects: epel-6 [bug 1487598]
Affects: fedora-all [bug 1487599]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for s
Bugzilla
CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [fedora-all]
bugzilla·2017-09-01·CVSS 9.8
CVE-2014-8684 [CRITICAL] CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [fedora-all]
CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora
Bugzilla
CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [epel-6]
bugzilla·2017-09-01·CVSS 9.8
CVE-2014-8684 [CRITICAL] CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [epel-6]
CVE-2014-8684 CVE-2016-10510 php-Kohana: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update' req
http://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttp://seclists.org/fulldisclosure/2014/May/54https://github.com/kohana/core/pull/492https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injectionhttp://packetstormsecurity.com/files/130609/Seagate-Business-NAS-Unauthenticated-Remote-Command-Execution.htmlhttp://seclists.org/fulldisclosure/2014/May/54https://github.com/kohana/core/pull/492https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
2017-09-19
Published