cbcvebase.
CVE-2014-8684
published 2017-09-19

CVE-2014-8684: CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.52%
99.3th percentile
CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make it easier for remote attackers to spoof session cookies and consequently conduct PHP object injection attacks by leveraging use of standard string comparison operators to compare cryptographic hashes.

Affected

6 ranges
VendorProductVersion rangeFixed in
codeignitercodeigniter<= 2.2.6
codeigniterframework>= 0 < 3.0.03.0.0
kohanacore>= 0 < 3.3.33.3.3
kohanaframeworkkohana
kohanaframeworkkohana
kohanaframeworkkohana

Detection & IOCsextracted from sources · hover to see the quote

cookieci_session
path../../../etc/devicedesc
url/index.php/mv_system/get_general_setup
url/index.php/mv_system/set_general_setup
  • Detect exploitation attempts by looking for HTTP responses containing both 'X-Powered-By: PHP/5.2.13' and 'Server: lighttpd/1.4.28' headers combined with a body containing 'Login to BlackArmor' — this fingerprints the vulnerable Seagate NAS target.
  • Monitor for requests to the login page carrying a 'ci_session' cookie whose decoded/decrypted PHP object contains a 'language' parameter with path traversal sequences (e.g., '../') and a null byte, indicating LFI exploitation via the CodeIgniter session cookie.
  • Alert on POST requests to the login page that include both a 'ci_session' cookie and a POST body parameter whose value is a base64-encoded PHP payload — this is the stager execution step of the exploit.
  • Detect POST requests to '/index.php/mv_system/set_general_setup' with a 'general_setup' parameter containing XML with embedded PHP eval/base64_decode payloads, indicating the attacker is writing a stager to disk via the device description field.
  • The exploit uses a known static XOR key ('0f0a000d02011f0248000d290d0b0b0e03010e07') to encrypt/decrypt CodeIgniter session cookies. Detecting this key in network traffic or cookie values can identify exploitation of CVE-2014-8684/CVE-2014-8687.
  • ·The exploit targets a specific Seagate Business NAS device (STBN300) running PHP/5.2.13 and lighttpd/1.4.28. The static XOR key and cookie name ('ci_session') are hardcoded defaults for this device; other CodeIgniter deployments may use different keys.
  • ·The vulnerability is exploitable without authentication, as it manifests in the language file inclusion on the login page before any user session is established.
  • ·The CVE also affects CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2, not just Seagate NAS devices. The timing/hash comparison weakness is the root cause enabling session cookie spoofing and PHP object injection.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.